Shiro的注解授权不起作用


这是我的controller


 package com.ivo.controller;



import javax.annotation.Resource;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import com.ivo.model.User;
import com.ivo.service.UserService;

@Controller
@RequestMapping(value="/user")
public class LoginController {
    @Resource(name="userService")
    private UserService userService;
    @RequestMapping(value="/check")
    public String findUser(User user){
        Subject subject = SecurityUtils.getSubject();
        System.out.println("权限:"+subject.isPermitted("Q8"));
//      Session session = subject.getSession();
            UsernamePasswordToken token = new UsernamePasswordToken(user.getUserid(),user.getPassword());
            token.setRememberMe(true);
            try {
                subject.login(token);//跳到realm
//              session.setTimeout(100);
                return "main";
            }catch (AuthenticationException e) {
                token.clear();  
                return "register";
            }

    }
    @RequestMapping(value="/register")
    public String register(){
        return "register";
    }

    @RequiresPermissions("Q8")
    @RequestMapping(value="/master")        //注解授权在这里
    public String master(){
        return "master";
    }
    @RequestMapping(value="/logout")
    public String exit(){

        Subject subject = SecurityUtils.getSubject();
        System.out.println("SessionID:"+subject.getSession().getId());
        if(subject.getSession()==null){
            System.out.println("没有Session");
        }else{
            System.out.println("有Session");
        }
        SecurityUtils.getSubject().logout();
        return "register";
    }
}

下面是我的applicationContent.xml


 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
                        http://www.springframework.org/schema/mvc 
                        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd 
                        http://www.springframework.org/schema/context 
                        http://www.springframework.org/schema/context/spring-context-3.0.xsd 
                        http://www.springframework.org/schema/aop 
                        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd 
                        http://www.springframework.org/schema/tx 
                        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd ">

    <!-- 注解驱动 -->
    <context:component-scan base-package="com.ivo"></context:component-scan>
    <context:component-scan base-package="com.ivo.controller"></context:component-scan>
    <tx:annotation-driven proxy-target-class="true"/>
    <mvc:annotation-driven />
    <!-- 组件扫描 -->
    <!-- 启动组件扫描,排除@Controller组件,该组件由SpringMVC配置文件扫描 -->
    <!-- 定义数据源 -->
    <!-- c3p0有自动回收空闲连接功能 -->
    <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
        <property name="driverClass" value="com.mysql.jdbc.Driver" />
        <property name="jdbcUrl" value="" />
        <property name="user" value="root" />
        <property name="password" value="root" />

        <property name="initialPoolSize" value="10" />
        <property name="maxPoolSize" value="50" />
        <property name="minPoolSize" value="10" />
    </bean>

    <bean id="sf" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
        <property name="dataSource" ref="dataSource"></property>

        <!-- hibernate映射文件的位置 -->
        <property name="mappingDirectoryLocations">
            <value>classpath:com/ivo/model/</value>
        </property>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.Dialect">org.hibernate.dialect.MySQL5Dialect</prop>
                <prop key="hibernate.show_sql">true</prop>
                <prop key="hibernate.hbm2ddl">update</prop>
            </props>
        </property>
    </bean>

    <!-- 事务管理器 -->
    <bean id="txManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">
        <property name="sessionFactory" ref="sf"></property>
    </bean>
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="myDbRealm" />
        <property name="sessionManager" ref="sessionManager" />
    </bean>
    <bean id=" myDbRealm" class="com.ivo.realm.MyDbRealm" />
    <!-- Shiro Filter -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!-- shiro的核心安全接口 -->
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/" />
        <!-- 登陆成功后要跳转的连接 -->
        <property name="successUrl" value="/success" />
        <!-- 没有权限要跳转的链接 -->
        <property name="unauthorizedUrl" value="/regester" />
        <!-- 默认的连接拦截配置 -->
        <!-- <property name="filterChainDefinitions"> 
        </property> -->
    </bean>
    <bean id="sessionDAO" class="com.ivo.dao.MySessionDao"></bean>
    <bean id="sessionListener" class="com.ivo.dao.MyListener"></bean>
    <!-- 会话管理器 -->
    <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
        <property name="sessionValidationSchedulerEnabled" value="false" />
        <property name="sessionDAO" ref="sessionDAO" />
        <property name="sessionListeners" ref="sessionListener" />
        <property name="globalSessionTimeout" value="90000" />
    </bean>

    <!-- 配置事物的传播特性 (事物通知) -->
    <tx:advice id="txAdvice" transaction-manager="txManager">
        <tx:attributes>
            <!-- REQUIRED 如果存在一个事务,则支持当前事务。如果没有事务则开启 -->
            <tx:method name="save*" propagation="REQUIRED" />
            <tx:method name="delete*" propagation="REQUIRED" />
            <tx:method name="update*" propagation="REQUIRED" />
            <tx:method name="find*" read-only="true" />
            <tx:method name="*" read-only="true" />
        </tx:attributes>
    </tx:advice>

    <aop:config>
        <aop:advisor pointcut="execution(* com.ivo.service.*.*(..))" advice-ref="txAdvice" />
    </aop:config>
</beans>

当我运行项目的时候没有报错,原本的意思是只有Q8权限的subject可以打开,但是实际情况是没有这个权限的subject也可以打开,相当困惑,这是什么原因导致的呢?希望大家能帮忙给看看,先在这里谢过了~

shiro 注解

豆芽Dsoul 9 years, 9 months ago

我通过对比github上面的sample发现原来是applicationContext.xml中不扫描Controller,而将其放在springmvc.xml中扫描就OK了。

以下是applicationContext.xml


 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
                        http://www.springframework.org/schema/mvc 
                        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd 
                        http://www.springframework.org/schema/context 
                        http://www.springframework.org/schema/context/spring-context-3.0.xsd 
                        http://www.springframework.org/schema/aop 
                        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd 
                        http://www.springframework.org/schema/tx 
                        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd ">

    <!-- Enable annotation configuration -->
    <context:annotation-config/>
    <!-- Scan sample packages for Spring annotations -->
    <context:component-scan base-package="com.ivo.dao"/>
    <context:component-scan base-package="com.ivo.realm"/>
    <context:component-scan base-package="com.ivo.service"/>
     <!-- Spring AOP auto-proxy creation (required to support Shiro annotations) -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
    <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
        <property name="driverClass" value="com.mysql.jdbc.Driver" />
        <property name="jdbcUrl" value="jdbc:mysql://10.20.2.9/springmvc" />
        <property name="user" value="root" />
        <property name="password" value="root" />

        <property name="initialPoolSize" value="10" />
        <property name="maxPoolSize" value="50" />
        <property name="minPoolSize" value="10" />
    </bean>

        <!-- Hibernate SessionFactory -->
    <bean id="sf" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
        <property name="dataSource" ref="dataSource"></property>
        <!-- hibernate映射文件的位置 -->
        <property name="mappingDirectoryLocations">
            <value>classpath:com/ivo/model/</value>
        </property>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.Dialect">org.hibernate.dialect.MySQL5Dialect</prop>
                <prop key="hibernate.show_sql">true</prop>
                <prop key="hibernate.hbm2ddl">update</prop>
            </props>
        </property>
    </bean>
     <!-- Transaction support beans -->
    <bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">
        <property name="sessionFactory" ref="sf"/>
    </bean>

    <tx:annotation-driven/>
        <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="myDbRealm" />
        <property name="sessionManager" ref="sessionManager" />
    </bean>
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
        <!-- Shiro Filter -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!-- shiro的核心安全接口 -->
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/" />
        <!-- 登陆成功后要跳转的连接 -->
        <property name="successUrl" value="/success" />
        <!-- 没有权限要跳转的链接 -->
        <property name="unauthorizedUrl" value="/regester" />
        <!-- 默认的连接拦截配置 -->
    <!--    <property name="filterChainDefinitions">
            <value>
            /user/master = perms[permission:Q6]
            </value> 
        </property> -->
    </bean>
    <bean id="sessionDAO" class="com.ivo.dao.MySessionDao"></bean>
    <bean id="sessionListener" class="com.ivo.dao.MyListener"></bean>
    <!-- 会话管理器 -->
    <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
        <property name="sessionValidationSchedulerEnabled" value="false" />
        <property name="sessionDAO" ref="sessionDAO" />
        <property name="sessionListeners" ref="sessionListener" />
        <property name="globalSessionTimeout" value="90000" />
    </bean>
    <bean id="txManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">
        <property name="sessionFactory" ref="sf"></property>
    </bean>
    <bean id=" myDbRealm" class="com.ivo.realm.MyDbRealm" />
    <!-- 配置事物的传播特性 (事物通知) -->
    <tx:advice id="txAdvice" transaction-manager="txManager">
        <tx:attributes>
            <!-- REQUIRED 如果存在一个事务,则支持当前事务。如果没有事务则开启 -->
            <tx:method name="save*" propagation="REQUIRED" />
            <tx:method name="delete*" propagation="REQUIRED" />
            <tx:method name="update*" propagation="REQUIRED" />
            <tx:method name="find*" read-only="true" />
            <tx:method name="*" read-only="true" />
        </tx:attributes>
    </tx:advice>
    <aop:config>
        <aop:advisor pointcut="execution(* com.ivo.*.*.*(..))" advice-ref="txAdvice" />
    </aop:config> 
</beans>

springmvc.xml


 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
                        http://www.springframework.org/schema/mvc 
                        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd 
                        http://www.springframework.org/schema/context 
                        http://www.springframework.org/schema/context/spring-context-3.0.xsd 
                        http://www.springframework.org/schema/aop 
                        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd 
                        http://www.springframework.org/schema/tx 
                        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd ">


 <!-- Enable annotation component scanning and autowiring of web package -->
    <context:annotation-config/>
    <context:component-scan base-package="com.ivo.controller"/>

    <!-- Required for security annotations to work in this servlet -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/>


    <!-- Enable annotation-based controllers using @Controller annotations -->
    <bean id="annotationUrlMapping"  class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
    </bean>

    <bean id="annotationMethodHandlerAdapter"
          class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>                       




    <!-- <context:component-scan base-package="org.shiro.demo.controller" /> -->
    <!-- <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" /> -->
    <!-- 视图解析器 -->
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <!-- 前缀 /WEB-INF/jsps/home.jsp-->
        <property name="prefix" value="/WEB-INF/jsps/"></property>
        <!-- 后缀 -->
        <property name="suffix" value=".jsp"></property>
    </bean>
</beans>

困扰了我好几天,终于搞定了!

伟大的要死 answered 9 years, 9 months ago

Your Answer