shiro默认的roles过滤，是与的关系，就是你的用户得有roles对应的所有角色，才算有权限。
但是实际开发过程中，更多的是或的需求，只要用户满足roles中的一个角色，就算有权限。
所以就涉及到重写过滤器roles，如下：

/*** 自定义过滤器覆盖默认，且转或*/
public class RoleFilter  extends AuthorizationFilter {@Overrideprotected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {String[] arra = (String[]) mappedValue;if (arra == null || arra.length == 0) {//没有角色限制，有权限访问return true;}Subject subject = getSubject(servletRequest, servletResponse);for (String role : arra) {if (subject.hasRole(role)) {//或return true;}}return false;}
}

写完这个类，再将他放在配置类的ShiroFilterFactoryBean的Filters中即可，如下：

	@Beanpublic ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);Map<String, Filter> filtersMap = new LinkedHashMap<String, Filter>();//自定义拦截器filtersMap.put("roles", roleFilter());shiroFilterFactoryBean.setFilters(filtersMap);Map<String, String> filterChainDefinitionMap = Maps.newLinkedHashMap();filterChainDefinitionMap.put("/user/**","roles[user,leader]");//其他资源权限shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return shiroFilterFactoryBean;