You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Govert Peng <pe...@126.com> on 2014/08/07 08:05:19 UTC

Some question in learning Shiro

Hi sir:
             I'm sending you this short letter to find out a few questions.
           In the process of me to learn Shiro,when I integrating Apache Shiro into Spring-based Applications,I see the sample spring-hibernate,in that application use Annotation-based Authorization,but in Spring configuration applicationContext.xml config <bean id="shiroFilter"> subelement <property name="filterChainDefinitions"> use /s/manageUsers = perms[user:manage].I do not unserstand why has used Annotation-based Authorization,also need config this filter perms?This is equivalent to verify the two times.
        When I delete /s/manageUsers = perms[user:manage],I try to use a new sign up user access /manageUsers throw a exception org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [user:manage], and don not go unauthorized page.But When I delete the annotation @RequiresPermissions("user:manage") on ManageUsersController method manageUsersmanageUsers,and add the /s/manageUsers = perms[user:manage] in applicationContext.xml,it also can work well,it is like @RequiresPermissions("user:manage") id useless when I config <bean id="shiroFilter"> add <property name="filterChainDefinitions"> use perms filter and write the permission in [].I read the source code perms filter is also check permission.

Re: Some question in learning Shiro

Posted by Brian Demers <br...@gmail.com>.

If you are doing all your filtering at the request level, that is all you
need.



On Thu, Aug 7, 2014 at 2:05 AM, Govert Peng <pe...@126.com> wrote:

> Hi sir:
>              I'm sending you this short letter to find out a few questions.
>            In the process of me to learn Shiro,when I integrating Apache
> Shiro into Spring-based Applications,I see the sample spring-hibernate,in
> that application use Annotation-based Authorization,but in Spring
> configuration applicationContext.xml config <bean id="shiroFilter">
> subelement <property name="filterChainDefinitions"> use /s/manageUsers =
> perms[user:manage].I do not unserstand why has used Annotation-based
> Authorization,also need config this filter perms?This is equivalent to
> verify the two times.
>         When I delete /s/manageUsers = perms[user:manage],I try to use a
> new sign up user access /manageUsers throw a exception
> org.apache.shiro.authz.UnauthorizedException: Subject does not have
> permission [user:manage], and don not go unauthorized page.But When I
> delete the annotation @RequiresPermissions("user:manage") on
> ManageUsersController method manageUsersmanageUsers,and add the
> /s/manageUsers = perms[user:manage] in applicationContext.xml,it also can
> work well,it is like @RequiresPermissions("user:manage") id useless when I
> config <bean id="shiroFilter"> add <property name="filterChainDefinitions">
> use perms filter and write the permission in [].I read the source code
> perms filter is also check permission.