更新时间:2023-12-05 22:41:16
我相信你提到的错误仅仅是因为你使用的是 AbstractAuthenticationProcessingFilter
基类需要一个的AuthenticationManager
。如果你不打算使用它,你可以将其设置为空操作,或只是实施过滤器
直接。如果你的过滤器
可以验证请求,并设置了 SecurityContext的
则通常是下游加工将被跳过(这取决于下游滤波器的实现,但我没有看到任何奇怪的在你的应用程序,所以他们大概都表现得这样)。
I believe the error that you mention is just because the AbstractAuthenticationProcessingFilter
base class that you are using requires an AuthenticationManager
. If you aren't going to use it you can set it to a no-op, or just implement Filter
directly. If your Filter
can authenticate the request and sets up the SecurityContext
then usually the downstream processing will be skipped (it depends on the implementation of the downstream filters, but I don't see anything weird in your app, so they probably all behave that way).
如果我是你,我可能会考虑投入一个完全独立的过滤器链的API端点(另一个 WebSecurityConfigurerAdapter
豆)。但这只会使事情更容易阅读,不一定是至关重要的。
If I were you I might consider putting the API endpoints in a completely separate filter chain (another WebSecurityConfigurerAdapter
bean). But that only makes things easier to read, not necessarily crucial.
您可能会发现(如在评论建议),您最终会重新发明***,但没有试图伤害,你可能会更多地了解Spring和安全的过程中。
You might find (as suggested in comments) that you end up reinventing the wheel, but no harm in trying, and you will probably learn more about Spring and Security in the process.
增加: GitHub的办法是很有趣:用户只需使用该令牌作为基本身份验证密码,该服务器不需要自定义过滤器( BasicAuthenticationFilter一样
是罚款)
ADDITION: the github approach is quite interesting: users just use the token as a password in basic auth, and the server doesn't need a custom filter (BasicAuthenticationFilter
is fine).