Shiro Authorizer授权器

If Else授权

　　角色检查　

Subject currentUser = SecurityUtils.getSubject();

if (currentUser.hasRole("administrator")) {
    //show the admin button 
} else {
    //don't show the button?  Grey it out? 
}

　　角色断言

Subject currentUser = SecurityUtils.getSubject();

//guarantee that the current user is a bank teller and 
//therefore allowed to open the account: 
currentUser.checkRole("bankTeller");
openBankAccount();

　　权限检查

　　　　基于Permission对象的权限检查

Subject subject = SecurityUtils.getSubject();
        Permission permission = new DomainPermission("hello/world.action", "hello:world");
        if (subject.isPermitted(permission)) {
            //show the some button 
        } else {
            //don't show anything
        }

　　　　基于字符串的权限检查

Subject subject = SecurityUtils.getSubject();
        if (subject.isPermitted("hello:world")) {
            //show the some button 
        } else {
            //don't show anything
        }

Shiro的默认org.apache.shiro.authz.permission.WildcardPermission实现定义的特殊冒号分隔格式

Subject subject = SecurityUtils.getSubject();
        Permission permission = new WildcardPermission("hello:world");
        if (subject.isPermitted(permission)) {
            //show the some button 
        } else {
            //don't show anything
        }

　　　权限断言

Subject subject = SecurityUtils.getSubject();
        subject.checkPermission(new WildcardPermission("hello:world"));

注解授权

　　@RequiresAuthentication注解

　　当前Subject必须是认证通过了的才能访问该方法

@RequiresAuthentication
    public void updateGood(Good good) {
        //this method will only be invoked by a
        //Subject that is guaranteed authenticated
    }

相当于

public void updateGood(Good good) {
        if (!SecurityUtils.getSubject().isAuthenticated())
            throw new AuthenticationException();
    }

　　　@RequiresGuest注解

　　　　当前Subject只能是未注册的仅是一个客人

@RequiresGuest
    public void updateGood(Good good) {
        //this method will only be invoked by a
        //Subject that is unknown/anonymous
    }

相当于

@RequiresGuest
    public void updateGood(Good good) {
        Subject subject = SecurityUtils.getSubject();
        PrincipalCollection principalCollection = subject.getPrincipals();
        if (principalCollection != null && !principalCollection.isEmpty())
            throw new AuthenticationException();
    }

　　@RequiresPermissions注解

　　当前Subject必须有指定的权限

@RequiresPermissions("hello:world")
    public void updateGood(Good good) {
        
    }

　　@RequiresRoles注解

　　当前Subject必须是指定的角色

@RequiresRoles("admin")
    public void updateGood(Good good) {
        
    }

　　@RequiresUser注解

　　当前Subject必须是注册过的

@RequiresUser
public void updateGood(Good good) {

}

相当于

public void updateGood(Good good) {
        Subject subject = SecurityUtils.getSubject();
        PrincipalCollection principalCollection = subject.getPrincipals();
        if (principalCollection == null || principalCollection.isEmpty())
            throw new AuthenticationException();
    }

授权过程