我不明白这段代码是如何运作的,特别是OncePerRequestFilter类这个课程的目的是什么,我已经粘贴了可用的代码。
public class AuthenticationFilter extends OncePerRequestFilter{
private final LoginService loginService;
private static final Logger logger = Logger.getLogger(AuthenticationFilter.class);
public AuthenticationFilter(final LoginService loginService) {
super();
this.loginService = loginService;
}
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain)
throws ServletException, IOException {
final String xAuth = request.getHeader("X-Authorization");
答案 0 :(得分:1)
身份验证和授权是两个不同的术语。 1.认证:您就是您所声称的人。 2.授权:你可以做什么。
假设:您的问题是授权:“我想基于休息api授权特定用户”。
配置 http.authorizeRequests()。antMatchers(“/ products”)。access(“hasRole('ROLE_ADMIN')”)
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/products").access("hasRole('ROLE_ADMIN')").anyRequest().permitAll().and().authorizeRequests().antMatchers("/hello").access("hasRole('ROLE_ADMIN')").anyRequest().permitAll().and()
.formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password").and()
.logout().logoutSuccessUrl("/login?logout").and().exceptionHandling().accessDeniedPage("/403").and()
.csrf();
}