shiro 授权流程

1. subject.isPermitted("...")或subject.hasRole("..")

2. 接着调用DelegatingSubject中的如下方法

3.   public boolean hasRole(String roleIdentifier)
       {
           return hasPrincipals() && securityManager.hasRole(getPrincipals(), roleIdentifier);
       }

4. securityManager 为DefaultSecurityManager

5. 调用securityManager.hasRole或securityManager.isPermitted 其实是调用DefaultSecurityManager

   的父类
   

6.  public boolean hasRole(PrincipalCollection principals, String roleIdentifier)
       {
           return authorizer.hasRole(principals, roleIdentifier);
       }

7. 或者
        public boolean isPermitted(PrincipalCollection principals, String permissionString)
       {
           return authorizer.isPermitted(principals, permissionString);
       }

   其中authorizer = new ModularRealmAuthorizer();

8. ModularRealmAuthorizer 中的hasRole/isPermitted的判断为
   

9.  public boolean hasRole(PrincipalCollection principals, String roleIdentifier)
       {
           assertRealmsConfigured();
           for(Iterator i$ = getRealms().iterator(); i$.hasNext();)
           {
               Realm realm = (Realm)i$.next();
               if((realm instanceof Authorizer) && ((Authorizer)realm).hasRole(principals, roleIdentifier))
                   return true;
           }
   
           return false;
       }

10.   public boolean isPermitted(PrincipalCollection principals, String permission)
        {
            assertRealmsConfigured();
            for(Iterator i$ = getRealms().iterator(); i$.hasNext();)
            {
                Realm realm = (Realm)i$.next();
                if((realm instanceof Authorizer) && ((Authorizer)realm).isPermitted(principals, permission))
                    return true;
            }
    
            return false;
        }

11. 接着就是调用抽象类AuthorizingRealm中的hasRole/isPermitted,
    

12.   public boolean hasRole(PrincipalCollection principal, String roleIdentifier)
        {
            AuthorizationInfo info = getAuthorizationInfo(principal);
            return hasRole(roleIdentifier, info);
        }
    
        protected boolean hasRole(String roleIdentifier, AuthorizationInfo info)
        {
            return info != null && info.getRoles() != null && info.getRoles().contains(roleIdentifier);
        }

13. 或者  
      public boolean isPermitted(PrincipalCollection principals, String permission)
        {
            Permission p = getPermissionResolver().resolvePermission(permission);
            return isPermitted(principals, p);
        }
    
        public boolean isPermitted(PrincipalCollection principals, Permission permission)
        {
            AuthorizationInfo info = getAuthorizationInfo(principals);
            return isPermitted(permission, info);
        }
    
        private boolean isPermitted(Permission permission, AuthorizationInfo info)
        {
    label0:
            {
                Collection perms = getPermissions(info);
                if(perms == null || perms.isEmpty())
                    break label0;
                Iterator i$ = perms.iterator();
                Permission perm;
                do
                {
                    if(!i$.hasNext())
                        break label0;
                    perm = (Permission)i$.next();
                } while(!perm.implies(permission));
                return true;
            }
            return false;
        }

    
    

14. 其中getAuthorizationInfo中通过方法doGetAuthorizationInfo获取已存在的授权信息

15. doGetAuthorizationInfo通过子类实现具体的内容

16. 
    

shiro 授权流程

原文：http://yaomy.blog.51cto.com/8892139/1727777