在此示例中
@Secured("ROLE_TRUSTED_USER")
@RequestMapping(value = "/orders/{code}", method = RequestMethod.GET)
@ResponseBody
public OrderDTO getOrder(@PathVariable final String code,
,@RequestHeader(required = true) final String headerID){}
如果我不发送headerID,即使我没有发送OAUTH访问令牌,也会收到ServletRequestBindingError。 仅当我发送headerID参数时,由于缺少令牌,我才能获得accessDenied。
反正还有FIRST检查OAUTH accessToken然后绑定请求参数吗?
<http pattern="/**" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="webSecurityAccessDecisionManager"
xmlns="http://www.springframework.org/schema/security" create-session="stateless">
<intercept-url pattern="/**" requires-channel="https"/>