If you are doing all your filtering at the request level, that is all you need.
On Thu, Aug 7, 2014 at 2:05 AM, Govert Peng <[email protected]> wrote: > Hi sir: > I'm sending you this short letter to find out a few questions. > In the process of me to learn Shiro,when I integrating Apache > Shiro into Spring-based Applications,I see the sample spring-hibernate,in > that application use Annotation-based Authorization,but in Spring > configuration applicationContext.xml config <bean id="shiroFilter"> > subelement <property name="filterChainDefinitions"> use /s/manageUsers = > perms[user:manage].I do not unserstand why has used Annotation-based > Authorization,also need config this filter perms?This is equivalent to > verify the two times. > When I delete /s/manageUsers = perms[user:manage],I try to use a > new sign up user access /manageUsers throw a exception > org.apache.shiro.authz.UnauthorizedException: Subject does not have > permission [user:manage], and don not go unauthorized page.But When I > delete the annotation @RequiresPermissions("user:manage") on > ManageUsersController method manageUsersmanageUsers,and add the > /s/manageUsers = perms[user:manage] in applicationContext.xml,it also can > work well,it is like @RequiresPermissions("user:manage") id useless when I > config <bean id="shiroFilter"> add <property name="filterChainDefinitions"> > use perms filter and write the permission in [].I read the source code > perms filter is also check permission.
