[英]Spring Security Oauth2: Fallback when access token is invalid/expired
I am using Spring Security to protect my endpoints. 我正在使用Spring Security保护我的端点。
My problem is, is it possible to response differently when users are using valid/invalid access token? 我的问题是,当用户使用有效/无效的访问令牌时,响应是否可能有所不同?
For example, for a single /api/info 例如,对于单个/ api / info
(1) When an invalid/expired access token is passed in the request, only very limited information will be returned (1)在请求中传递无效/过期的访问令牌时,将仅返回非常有限的信息
(2) When a valid access token is passed in the request, very customized and rich content is returned according to a different user. (2)在请求中传递有效的访问令牌后,将根据不同的用户返回非常定制且丰富的内容。
I've tried to use access=permitAll()
, but it doesn't work because invalid tokens can not pass oauth2 validation. 我尝试使用access=permitAll()
,但是它无效,因为无效令牌无法通过oauth2验证。
Using security="none"
is also not working because it will not try to get user info at all. 使用security="none"
也不起作用,因为它根本不会尝试获取用户信息。
编写一个自定义的OAuth2AccessDeniedHandler ,然后使用security:access-denied-handler
XML标记或类似的Java Config将其插入到/info
端点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.