问题
If a user has a permissions user:edit:1 and I'm using the annotation driven @RequiresPermissions("user:edit") why is shiro throwing an exception? Shouldn't that permission be implied by the fact that they have user:edit:1? If I put @RequriesPermissions("user:edit:1") then it works fine but during the context of operation I won't know what 1 is yet so that will be checked later in the method, but I'd like to avoid going into the method at all if they don't have the user:edit permission at all.
回答1:
"user:edit" implies "user:edit:1" but not the other way around.
You can keep using @RequiresPermissions("user:edit") and then check for the "1" in your method. You can also use a wildcard @RequiresPermissions("user:edit:*"), which is the exactly the same but I think it's clearer.
回答2:
I don't think, ascandrolis answer is correct, since Shiro documentation states:
The following however is much less ideal for a runtime check:
if (SecurityUtils.getSubject().isPermitted("printer:print")) {//print the document}Why? Because the second example says "You must be able to print to any printer for the following code block to execute". But remember that "printer:print" is equivalent to "printer:print:*"!
(Shiro Documentation)
So @RequiresPermissions("user:edit:*") means the same as @RequiresPermissions("user:edit"), i.e. that the principal needs to be able to edit any user.
来源:https://stackoverflow.com/questions/5262842/apache-shiro-implied-permissions