如何从servlet过滤器中的URL中提取用户名和密码? [英] How do I extract the username and password out of a URL in a servlet filter?

问题描述

我创建了一个BasicAuthFilter，它具有以下签名:

I've created a BasicAuthFilter and it has this signature:

@Override
public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain) throws IOException, ServletException 

如果有人使用正确设置的Authorization标头调用过滤器，则此方法有效.但是，如果使用chrome或Firefox的用户访问该网址，如下所示:

This is working if someone calls the filter with an Authorization header set the right way. But, if someone on chrome or firefox visits the url like this:

http://username:password@localhost:8888

浏览器没有用该信息填充Authorization标头(这让我感到惊讶).我查看了chrome发送的信息，用户名和密码位于请求URL中，但无其他地方.

The browsers are not populating the Authorization header with that information (which surprised me). I looked at the information sent by chrome and the username and password are in the request URL but nowhere else.

我不知道如何从URL中提取该信息.我在HttpServletRequest上尝试了很多吸气剂，但是没有找到任何可以给我用户名和密码的东西.

I can't figure out how to extract that information from the URL. I've tried a lot of getters on the HttpServletRequest, but haven't found anything that gives me the username and password.

注意:是的，我知道这是不安全的，当您尝试测试系统时，使用起来真的很方便.

NOTE: Yes, I know this is insecure, it's just really convenient to use when you're trying to test your system.

推荐答案

我的同事发现

My coworker found this thread that implies this isn't possible in modern browsers. They refuse to send the username:password part of a url over the wire for security reasons.

这篇关于如何从servlet过滤器中的URL中提取用户名和密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！