Apache shiro 隐含权限
如果用户拥有权限 user:edit:1 并且我使用注释驱动的 @RequiresPermissions("user:edit") 为什么 shiro 会抛出异常?难道他们拥有 user:edit:1 的事实不应该暗示该权限吗?如果我放置 @RequriesPermissions("user:edit:1") 那么它工作正常,但在操作上下文中我还不知道 1 是什么,因此稍后将在方法中检查,但如果他们根本没有 user:edit 权限,我想完全避免进入该方法。
If a user has a permissions user:edit:1 and I'm using the annotation driven @RequiresPermissions("user:edit") why is shiro throwing an exception? Shouldn't that permission be implied by the fact that they have user:edit:1? If I put @RequriesPermissions("user:edit:1") then it works fine but during the context of operation I won't know what 1 is yet so that will be checked later in the method, but I'd like to avoid going into the method at all if they don't have the user:edit permission at all.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不认为,ascandrolis 的答案是正确的,因为 Shiro 文档指出:
(Shiro 文档)
所以
@RequiresPermissions("user:edit: *")与 @RequiresPermissions("user:edit") 含义相同,即主体需要能够编辑任何用户。I don't think, ascandrolis answer is correct, since Shiro documentation states:
(Shiro Documentation)
So
@RequiresPermissions("user:edit:*")means the same as@RequiresPermissions("user:edit"), i.e. that the principal needs to be able to edit any user.“user:edit”暗示“user:edit:1”,但反之则不然。您可以继续使用
@RequiresPermissions("user:edit"),然后检查方法中是否有 "1"。您还可以使用通配符@RequiresPermissions("user:edit:*"),它完全相同,但我认为它更清晰。"user:edit"implies"user:edit:1"but not the other way around.You can keep using
@RequiresPermissions("user:edit")and then check for the "1" in your method. You can also use a wildcard@RequiresPermissions("user:edit:*"), which is the exactly the same but I think it's clearer.