Wenn es keinen `Authorization`-Header sieht, oder der Wert keinen `Bearer `-Token hat, antwortet es direkt mit einem 401-Statuscode-Error (`UNAUTHORIZED`).

Sie müssen nicht einmal prüfen, ob der Token existiert, um einen Fehler zurückzugeben. Seien Sie sicher, dass Ihre Funktion, wenn sie ausgeführt wird, ein `str` in diesem Token enthält.

/// info | Дополнительная информация
Дополнительный HTTP-заголовок `WWW-Authenticate` со значением `Bearer`, который мы здесь возвращаем, также является частью спецификации.

Любой HTTP статус-код 401 "UNAUTHORIZED" должен также возвращать заголовок `WWW-Authenticate`.

В случае с bearer-токенами (наш случай) значение этого заголовка должно быть `Bearer`.

///

## 实现的操作

FastAPI 校验请求中的 `Authorization` 请求头，核对请求头的值是不是由 `Bearer ` ＋ 令牌组成， 并返回令牌字符串（`str`）。

如果没有找到 `Authorization` 请求头，或请求头的值不是 `Bearer ` ＋ 令牌。FastAPI 直接返回 401 错误状态码（`UNAUTHORIZED`）。

开发者不需要检查错误信息，查看令牌是否存在，只要该函数能够执行，函数中就会包含令牌字符串。

正如下图所示，API 文档已经包含了这项功能：

<img src="/img/tutorial/security/image03.png">

目前，暂时还没有实现验证令牌是否有效的功能，不过后文很快就会介绍的。

## 小结

errors.invalid_header_for_request_file=Invalid header line: {0}
errors.could_not_delete_logged_in_user=You cannot delete a user who is logged in.
errors.unauthorized_request=Unauthorized request.
errors.failed_to_print_thread_dump=Failed to print a thread dump.
errors.file_is_not_supported={0} is not supported.
errors.plugin_file_is_not_found={0} is not found.

errors.invalid_header_for_request_file=Invalid header line: {0}
errors.could_not_delete_logged_in_user=You cannot delete a user who is logged in.
errors.unauthorized_request=Unauthorized request.
errors.failed_to_print_thread_dump=Failed to print a thread dump.
errors.file_is_not_supported={0} is not supported.
errors.plugin_file_is_not_found={0} is not found.

            }
            if (status) {
                return new ActionResponseCredential(() -> {
                    throw new RequestLoggingFilter.RequestClientErrorException("Your request is not authorized.", "401 Unauthorized",
                            HttpServletResponse.SC_UNAUTHORIZED);
                });
            }

            // assert
            if (null == principal) {

/// info | Informação

O cabeçalho adicional `WWW-Authenticate` com valor `Bearer` que estamos retornando aqui também faz parte da especificação.

Qualquer código de status HTTP (erro) 401 "UNAUTHORIZED" também deve retornar um cabeçalho `WWW-Authenticate`.

No caso de tokens ao portador (nosso caso), o valor desse cabeçalho deve ser `Bearer`.

Na verdade, você pode pular esse cabeçalho extra e ainda funcionaria.

因此，在端点中，只有当用户存在、通过身份验证、且状态为激活时，才能获得该用户：

{* ../../docs_src/security/tutorial003.py hl[58:67,69:72,90] *}

/// info | 说明

此处返回值为 `Bearer` 的响应头 `WWW-Authenticate` 也是规范的一部分。

任何 401**UNAUTHORIZED**HTTP（错误）状态码都应返回 `WWW-Authenticate` 响应头。

本例中，因为使用的是 Bearer Token，该响应头的值应为 `Bearer`。

实际上，忽略这个附加响应头，也不会有什么问题。

之所以在此提供这个附加响应头，是为了符合规范的要求。

说不定什么时候，就有工具用得上它，而且，开发者或用户也可能用得上。

这就是遵循标准的好处……

    public void validateRemoteAccess(long remoteAddress, int length, int remoteKey) {
        // Validate that remote memory access is authorized
        // This would integrate with SMB3 encryption/signing
        if (!isAuthorizedAccess(remoteAddress, length, remoteKey)) {
            throw new SecurityException("Unauthorized RDMA remote access");
        }
    }
    
    private boolean isAuthorizedAccess(long address, int length, int key) {

   *
   * The network response's status code is most influential when deciding how to follow up:
   *
   *  * For redirects (301: Moved Permanently, 302: Temporary Redirect, etc.)
   *  * For auth challenges (401: Unauthorized, 407: Proxy Authentication Required.)
   *  * For client timeouts (408: Request Time-Out.)
   *  * For server failures (503: Service Unavailable.)
   *