我相信你提到的错误仅仅是因为你使用的是 AbstractAuthenticationProcessingFilter 基类需要一个的AuthenticationManager 。如果你不打算使用它，你可以将其设置为空操作，或只是实施过滤器直接。如果你的过滤器可以验证请求，并设置了 SecurityContext的则通常是下游加工将被跳过（这取决于下游滤波器的实现，但我没有看到任何奇怪的在你的应用程序，所以他们大概都表现得这样）。

I believe the error that you mention is just because the AbstractAuthenticationProcessingFilter base class that you are using requires an AuthenticationManager. If you aren't going to use it you can set it to a no-op, or just implement Filter directly. If your Filter can authenticate the request and sets up the SecurityContext then usually the downstream processing will be skipped (it depends on the implementation of the downstream filters, but I don't see anything weird in your app, so they probably all behave that way).

如果我是你，我可能会考虑投入一个完全独立的过滤器链的API端点（另一个 WebSecurityConfigurerAdapter 豆）。但这只会使事情更容易阅读，不一定是至关重要的。

If I were you I might consider putting the API endpoints in a completely separate filter chain (another WebSecurityConfigurerAdapter bean). But that only makes things easier to read, not necessarily crucial.

您可能会发现（如在评论建议），您最终会重新发明***，但没有试图伤害，你可能会更多地了解Spring和安全的过程中。

You might find (as suggested in comments) that you end up reinventing the wheel, but no harm in trying, and you will probably learn more about Spring and Security in the process.

增加： GitHub的办法是很有趣：用户只需使用该令牌作为基本身份验证密码，该服务器不需要自定义过滤器（ BasicAuthenticationFilter一样是罚款）

ADDITION: the github approach is quite interesting: users just use the token as a password in basic auth, and the server doesn't need a custom filter (BasicAuthenticationFilter is fine).