apache shiro允許多個角色訪問一個url不工作

Question

我有一個簡單的web項目。我想要訪問這個項目中的多個角色是一個URL。網址

[urls] 
/login.xhtml = authc 
/logout = logout 
/admin/** = user, roles[admin] 
/guest/** = user, roles[admin,guest] 

我得到一個401錯誤的

sihor.ini部分，當用戶管理員訪問來賓目錄的作用。

爲什麼？

四郎1.2.1版

Answer 1

還有另一種選擇：角色的自定義實現過濾使用OR的設置，而不是AND所提供的角色。

import org.apache.shiro.subject.Subject; 
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter; 

import javax.servlet.ServletRequest; 
import javax.servlet.ServletResponse; 
import java.io.IOException; 

/** 
* Allows access if current user has at least one role of the specified list. 
* 
* Basically, it's the same as {@link RolesAuthorizationFilter} but using {@literal OR} instead 
* of {@literal AND} on the specified roles. 
* 
* @see RolesAuthorizationFilter 
* @author Andy Belsky 
*/ 
public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter { 

    @Override 
    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, 
            Object mappedValue) throws IOException { 

     final Subject subject = getSubject(request, response); 
     final String[] rolesArray = (String[]) mappedValue; 

     if (rolesArray == null || rolesArray.length == 0) { 
      //no roles specified, so nothing to check - allow access. 
      return true; 
     } 

     for (String roleName : rolesArray) { 
      if (subject.hasRole(roleName)) { 
       return true; 
      } 
     } 

     return false; 
    } 
} 

在shiro.ini用法是這樣的：

[main] 
... 
anyofroles = com.your.package.AnyOfRolesAuthorizationFilter 

[urls] 
... 
/path/to/some/url = anyofroles["role1,role2"] 

Answer 2

而不是

/guest/** = user, roles[admin,guest]

嘗試

/guest/** = user, roles[admin],roles[guest]