Hi sir:
I'm sending you this short letter to find out a few questions.
In the process of me to learn Shiro,when I integrating Apache Shiro
into Spring-based Applications,I see the sample spring-hibernate,in that
application use Annotation-based Authorization,but in Spring configuration
applicationContext.xml config <bean id="shiroFilter"> subelement <property
name="filterChainDefinitions"> use /s/manageUsers = perms[user:manage].I do not
unserstand why has used Annotation-based Authorization,also need config this
filter perms?This is equivalent to verify the two times.
When I delete /s/manageUsers = perms[user:manage],I try to use a new
sign up user access /manageUsers throw a exception
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission
[user:manage], and don not go unauthorized page.But When I delete the
annotation @RequiresPermissions("user:manage") on ManageUsersController method
manageUsersmanageUsers,and add the /s/manageUsers = perms[user:manage] in
applicationContext.xml,it also can work well,it is like
@RequiresPermissions("user:manage") id useless when I config <bean
id="shiroFilter"> add <property name="filterChainDefinitions"> use perms filter
and write the permission in [].I read the source code perms filter is also
check permission.
