org.apache.shiro.authz.Permission
package org.apache.shiro.authz;
/**
* A Permission represents the ability to perform an action or access a resource.
*
* @see org.apache.shiro.authz.permission.WildcardPermission WildcardPermission
* @since 0.2
*/
public interface Permission {
/**
* Returns true if this current instance implies all the functionality and/or
* resource access described by the specified Permission argument, false otherwise.
* If "permission1 implies permission2", i.e. permission1.implies(permission2) ,
* then any Subject granted permission1 would have ability greater than or equal to that defined by permission2..
*
* @param p the permission to check for behavior/functionality comparison.
* @return
*
* 用汉语翻译的意思就是当前调用implies的Permission的实现要比Permission功能强大,最起码不能更低。
*
*/
boolean implies(Permission p);
}
org.apache.shiro.authz.permission.WildcardPermission
package org.apache.shiro.authz.permission;
/**
*
* @since 0.9
*/
public class WildcardPermission implements Permission, Serializable {
/*--------------------------------------------
| C O N S T A N T S |
============================================*/
protected static final String WILDCARD_TOKEN = "*";
protected static final String PART_DIVIDER_TOKEN = ":";
protected static final String SUBPART_DIVIDER_TOKEN = ",";
protected static final boolean DEFAULT_CASE_SENSITIVE = false;
protected WildcardPermission() {
}
public WildcardPermission(String wildcardString) {
this(wildcardString, DEFAULT_CASE_SENSITIVE);
}
public WildcardPermission(String wildcardString, boolean caseSensitive) {
setParts(wildcardString, caseSensitive);
}
protected void setParts(String wildcardString) {
setParts(wildcardString, DEFAULT_CASE_SENSITIVE);
}
public boolean implies(Permission p) {
// By default only supports comparisons with other WildcardPermissions
if (!(p instanceof WildcardPermission)) {
return false;
}
WildcardPermission wp = (WildcardPermission) p;
List otherParts = wp.getParts();
int i = 0;
for (Set otherPart : otherParts) {
// If this permission has less parts than the other permission, everything after the number of parts contained
// in this permission is automatically implied, so return true
if (getParts().size() - 1 < i) {
return true;
} else {
Set part = getParts().get(i);
if (!part.contains(WILDCARD_TOKEN) && !part.containsAll(otherPart)) {
return false;
}
i++;
}
}
// If this permission has more parts than the other parts, only imply it if all of the other parts are wildcards
for (; i < getParts().size(); i++) {
Set part = getParts().get(i);
if (!part.contains(WILDCARD_TOKEN)) {
return false;
}
}
return true;
}
}
Shiro ACL
Instance-level Access Control Lists
In this scenario you use three tokens - the first is the domain, the second is the action, and the third is the instance you are acting on.
规则:"资源标识符:操作:对象实例ID" 即对哪个资源的哪个实例可以进行什么操作。
示例:
newsletter:edit:12,13,18 allow user to edit newsletter 12,13 and 18
newsletter:*:13 grant a user all actions for newsletter 13
newsletter:view,create,edit:* allow the user to view, create, or edit any newsletter
newsletter:*:* allow the user to perform any action on any newsletter
匹配规则说明:
如"user:view"等价于"user:view:*";而"organization"等价于"organization:*"或者"organization:*:*"。
另外如"user:*"可以匹配"user:delete";"user:delete"可以匹配"user:delete:1";"user:*:1"可以匹配"user:view:1";"user"可以匹配"user:view"或"user:view:1"
等。
即*可以匹配所有,不加*可以进行前缀匹配;但是如"*:view"不能匹配"system:user:view",需要使用"*:*:view",即后缀匹配必须指定前缀(多个冒号就需要多个*来匹配)。