Shiro实现用户授权

1. ShiroConfig中的getShiroFilterFactoryBean方法添加认证代码

   //授权，正常情况下，没有授权会跳转到为授权页面
   filterMap.put("/user/add","perms[user:add]");
   filterMap.put("/user/update","perms[user:update]");
   

2. 在controller中添加授权页面

   @RequestMapping("/noauto")
   @ResponseBody
   public String unauthorized() {
       return "未经授权，无法访问此页面";
   }
   

3. ShiroConfig中的getShiroFilterFactoryBean方法中添加

   //为授权页面
   bean.setUnauthorizedUrl("/noauto");
   

4. UserRealm类的修改

   //自定义的UserRealm
   public class UserRealm extends AuthorizingRealm {
   
       @Autowired
       UserService userService;
       //授权
       @Override
       protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
           System.out.println("执行了=>授权doGetAuthorizationInfo");
   
           SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
   
           //拿到当前登录的这个对象
           Subject subject = SecurityUtils.getSubject();
           User currentUser = (User)subject.getPrincipal();//拿到user对象
   
           //设置当前用户的权限
           info.addStringPermission(currentUser.getPerms());
   
           return info;
       }
   
       //认证
       @Override
       protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
           ......
           // 密码认证，shiro做
           return new SimpleAuthenticationInfo(user,user.getPwd(),"");
       }
   }