一、授权的核心概念

授权，也就是权限认证或访问控制，即在应用中控制谁能访问哪些资源
授权中的核心要素：
1 用户，在shiro中代表访问系统的任何客户端，即subject
2 角色，是权限的集合，或字符串值表示的一种能力。
3 权限，即操作资源的权利。比如访问某个页面，以及对某功能模块的添加、修改、删除、查看的权利
(http://shiro.apache.org/authorization.html)

二、授权方式

1、编程式授权

基于角色(role)的编程式授权、基于权限(permission)的编程式授权

1.1 基于角色(role)的编程式授权

public class RoleTest {@Testpublic void testHasRole() {Subject currentUser=ShiroUtil.login("classpath:shiro_role.ini", "zhangsan", "zs123456");System.out.println(currentUser.hasRole("role1")?"有role1这个角色":"没有role1这个角色");boolean []results=currentUser.hasRoles(Arrays.asList("role1","role2","role3"));System.out.println(results[0]?"有role1这个角色":"没有role1这个角色");System.out.println(results[1]?"有role2这个角色":"没有role2这个角色");System.out.println(results[2]?"有role3这个角色":"没有role3这个角色");System.out.println(currentUser.hasAllRoles(Arrays.asList("role1","role2"))?"role1,role2这两个角色都有":"role1,role2这个两个角色不全有");currentUser.logout();}@Testpublic void testCheckRole() {Subject currentUser=ShiroUtil.login("classpath:shiro_role.ini", "zhangsan","zs123456");currentUser.checkRole("role1");currentUser.checkRoles(Arrays.asList("role1","role2"));currentUser.checkRoles("role1","role2","role3");currentUser.logout();}
}

hasRole()和checkRole()的区别在于，前者是有相应角色则返回布尔值，后者是没有角色则会抛出异常。

1.2 基于权限(permission)的编程式授权

public class PermissionTest {@Testpublic void testIsPermitted() {Subject currentUser=ShiroUtil.login("classpath:shiro_permission.ini", "zhangsan", "zs123456");System.out.println(currentUser.isPermitted("user:select")?"有user:select这个权限":"没有user:select这个权限");System.out.println(currentUser.isPermitted("user:update")?"有user:update这个权限":"没有user:update这个权限");boolean results[]=currentUser.isPermitted("user:select","user:update","user:delete");System.out.println(results[0]?"有user:select这个权限":"没有user:select这个权限");System.out.println(results[1]?"有user:update这个权限":"没有user:update这个权限");System.out.println(results[2]?"有user:delete这个权限":"没有user:delete这个权限");System.out.println(currentUser.isPermittedAll("user:select","user:update")?"有user:select,update这两个权限":"user:select,update这两个权限不全有");currentUser.logout();}@Testpublic void testCheckPermitted() {Subject currentUser=ShiroUtil.login("classpath:shiro_permission.ini", "zhangsan", "zs123456");currentUser.checkPermission("user:select");currentUser.checkPermissions("user:select","user:update","user:delete");currentUser.logout();}
}

isPermmitted()和checkPermitted()的区别在于：前者是若用户没有相应权限则返回布尔值false，而后者则会抛出异常。

2、注解授权

@RequiresAuthentication 要求subjejct已经通过了身份认证
@RequiresGuest 要求当前subject是一个"guest"，即subject必须是没有被记住且没有通过身份认证
@RequiresUser 要求当前subject是一个用户，可以是被记住(rememberMe)的，或者是通过了身份认证的
@RequiresRoles 要求当前subject必须拥有相应角色，value可为一个String集合，默认是And关系。可以标记在类和方法上。
@RequiresPermissions 要求当前subject必须拥有相应权限，value可为一个String集合，默认是And关系。可以标记在类和方法上。

@RequiresRoles注解：

@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface RequiresRoles {/*** A single String role name or multiple comma-delimitted role names required in order for the method* invocation to be allowed.*/String[] value();/*** The logical operation for the permission check in case multiple roles are specified. AND is the default* @since 1.1.0*/Logical logical() default Logical.AND;
}

@RequiresPermission注解：

@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface RequiresPermissions {/*** The permission string which will be passed to {@link org.apache.shiro.subject.Subject#isPermitted(String)}* to determine if the user is allowed to invoke the code protected by this annotation.*/String[] value();/*** The logical operation for the permission checks in case multiple roles are specified. AND is the default* @since 1.1.0*/Logical logical() default Logical.AND;}

3、jsp标签授权

3.1 在pom.xml中引入shiro-web.jar

3.2 在jsp页面中引入shiro的自定义标签库

<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>

3.3 在jsp页面中使用shiro:xxx的标签

<shiro:guest>用户没有被RememberMe，也没有通过身份认证时显示  </shiro:guest>​
<shiro:user> 用户被RememberMe，或者通过了身份认证时显示</shiro:user>​<shiro:authenticated>用户通过了身份认证时显示 </shiro:authenticated>
<shiro:notAuthenticated>用户没有通过身份认证时显示 </shiro:notAuthenticated>
​
<shiro:hasRole>用户拥有相应角色则显示  </shiro:hasRole>
<shiro:lacksRole> 用户缺少相应角色则显示 </shiro:lacksRole>
<shiro:hasAnyRole>用户拥有其中任意一个角色则显示  </shiro:hasAnyRole>
​<shiro:hasPermission> 用户拥有相应权限则显示</shiro:hasPermission>
<shiro:lacksPermission>用户缺少相应权限则显示 </shiro:lacksPermission>
​

三、授权过程

Step 1: Application or framework code invokes any of the Subject hasRole*, checkRole*, isPermitted*, or checkPermission* method variants, passing in whatever permission or role representation is required.

Step 2: The Subject instance, typically a DelegatingSubject (or a subclass) delegates to the application’s SecurityManager by calling the securityManager’s nearly identical respective hasRole*, checkRole*, isPermitted*, or checkPermission* method variants (the securityManager implements the org.apache.shiro.authz.Authorizer interface, which defines all Subject-specific authorization methods).

Step 3: The SecurityManager, being a basic ‘umbrella’ component, relays/delegates to its internal org.apache.shiro.authz.Authorizer instance by calling the authorizer’s respective hasRole*, checkRole*, isPermitted*, or checkPermission* method. The authorizer instance is by default a ModularRealmAuthorizer instance, which supports coordinating one or more Realm instances during any authorization operation.

Step 4: Each configured Realm is checked to see if it implements the same Authorizer interface. If so, the Realm’s own respective hasRole*, checkRole*, isPermitted*, or checkPermission* method is called.

四、权限粒度

资源级别
单个权限：query
单个资源多个权限： user:query user:add 多值user:query,add
单个资源所有权限： user:query,user:add,user:update,user:delete 所有user:*
所有资源的某个权限: *:view

实例级别
单个实例的单个权限 printer:query:lp7200 printer:print:epsoncolor
所有实例的单个权限 printer:print:*
所有实例的所有权限 printer::
单个实例的所有权限 printer:*:lp7200
单个实例的多个权限 printer:query,print:lp7200

printer 等价于 printer::
printer:print 等价与 printer:print:*