【开源中国 APP 全新上线】“动弹” 回归、集成大模型对话、畅读技术报告”
我在spring mvc的controller方法上,加了需要admin角色这个注解,但是好像没起作用,我用student角色也能访问这个函数。这是为什么呢?
@RequiresRoles("admin")
@RequestMapping(value = "/ecampuscenter")public String ecampuscenter() {
logger.info("-------------------ecampus center request - --------------------------");
return "loginSuccess";
}
shiro部分配置如下
<!-- Shiro的Web过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!--首页,进入到/security/showloginfor控制器方法内。-->
<property name="loginUrl" value="/security/login"/>
<!--<property name="successUrl" value="/home.jsp"/>-->
<!--<property name="unauthorizedUrl" value="/unauthorized.jsp"/>-->
<property name="filters">
<util:map>
<entry key="authc" value-ref="formAuthenticationFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/security/login=anon
/**=authc
</value>
</property>
</bean>
<!-- Shiro生命周期处理器-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Spring AOP auto-proxy creation (required to support Shiro annotations) -->
<!-- 启用shiro 注解 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>