《Spring-Boot-shiro权限控制》中,当用户访问没有权限的资源时,我们采取的做法是跳转到403页面,但在实际项目中更为常见的做法是只显示当前用户拥有访问权限的资源链接。配合Thymeleaf中的Shiro标签可以很简单的实现这个目标。

实际上Thymeleaf官方并没有提供Shiro的标签,我们需要引入第三方实现,地址为https://github.com/theborakompanioni/thymeleaf-extras-shiro

引入thymeleaf-extras-shiro

在pom中引入:

  1. <dependency>
  2.     <groupId>com.github.theborakompanioni</groupId>
  3.     <artifactId>thymeleaf-extras-shiro</artifactId>
  4.     <version>2.0.0</version>
  5. </dependency>

ShiroConfig配置

引入依赖后,需要在ShiroConfig中配置该方言标签:

  1.  @Bean
  2. public ShiroDialect shiroDialect() {
  3.     return new ShiroDialect();
  4. }

首页改造

更改index.html,用于测试Shiro标签的使用:

  1.  <!DOCTYPE html>
  2. <html xmlns:th="http://www.thymeleaf.org" 
  3.       xmlns:shiro="http://www.pollix.at/thymeleaf/shiro" >
  4. <head>
  5.     <meta charset="UTF-8">
  6.     <title>首页</title>
  7. </head>
  8. <body>
  9.     <p>你好![[${user.userName}]]</p>
  10.     <p shiro:hasRole="admin">你的角色为超级管理员</p>
  11.     <p shiro:hasRole="test">你的角色为测试账户</p>
  12.     <div>
  13.         <a shiro:hasPermission="user:user" th:href="@{/user/list}">获取用户信息</a>
  14.         <a shiro:hasPermission="user:add" th:href="@{/user/add}">新增用户</a>
  15.         <a shiro:hasPermission="user:delete" th:href="@{/user/delete}">删除用户</a>
  16.     </div>
  17.     <a th:href="@{/logout}">注销</a>
  18. </body>
  19. </html>

值得注意的是,在html页面中使用Shiro标签需要给html标签添加xmlns:shiro="http://www.pollix.at/thymeleaf/shiro"

测试

启动项目,使用mrbird(角色为admin,具有user:user,user:add,user:delete权限)账户登录:

Spring Boot Thymeleaf中使用Shiro标签 - 图1

使用tester(角色为tester,仅有user:user权限)账户登录:

Spring Boot Thymeleaf中使用Shiro标签 - 图2

更多标签

The following examples show how to integrate the tags in your Thymeleaf templates. These are all implementations of the examples given in the JSP / GSP Tag Library Section of the Apache Shiro documentation.

Tags can be written in attribute or element notation:

  • Attribute
  1. <p shiro:anyTag>
  2.   Goodbye cruel World!
  3. </p>
  • Element
  1. <shiro:anyTag>
  2.   <p>Hello World!</p>
  3. </shiro:anyTag>

The **guest** tag

  1. <p shiro:guest="">
  2.   Please <a href="login.html">Login</a>
  3. </p>

The **user** tag

  1. <p shiro:user="">
  2.   Welcome back John! Not John? Click <a href="login.html">here<a> to login.
  3. </p>

The **authenticated** tag

  1. <a shiro:authenticated="" href="updateAccount.html">Update your contact information</a>

The **notAuthenticated** tag

  1. <p shiro:notAuthenticated="">
  2.   Please <a href="login.html">login</a> in order to update your credit card information.
  3. </p>

The **principal** tag

  1. <p>Hello, <span shiro:principal=""></span>, how are you today?</p>

or

  1. <p>Hello, <shiro:principal/>, how are you today?</p>

Typed principal and principal property are also supported.

The **hasRole** tag

  1. <a shiro:hasRole="administrator" href="admin.html">Administer the system</a>

The **lacksRole** tag

  1. <p shiro:lacksRole="administrator">
  2.   Sorry, you are not allowed to administer the system.
  3. </p>

The **hasAllRoles** tag

  1. <p shiro:hasAllRoles="developer, project manager">
  2.   You are a developer and a project manager.
  3. </p>

The **hasAnyRoles** tag

  1. <p shiro:hasAnyRoles="developer, project manager, administrator">
  2.   You are a developer, project manager, or administrator.
  3. </p>

The **hasPermission** tag

  1. <a shiro:hasPermission="user:create" href="createUser.html">Create a new User</a>

The **lacksPermission** tag

  1. <p shiro:lacksPermission="user:delete">
  2.   Sorry, you are not allowed to delete user accounts.
  3. </p>

The **hasAllPermissions** tag

  1. <p shiro:hasAllPermissions="user:create, user:delete">
  2.   You can create and delete users.
  3. </p>

The **hasAnyPermissions** tag

  1. <p shiro:hasAnyPermissions="user:create, user:delete">
  2.   You can create or delete users.
  3. </p>