如何禁用解析作为 url 参数/从 url 传递的登录参数 [英] How do I disable resolving login parameters passed as url parameters / from the url

问题描述

应用程序记录所有请求的url.这意味着，重要的是不要使用 url 参数进行身份验证，因为这会导致日志充满对 (login=abc&password=123) 的情况.为此，我配置了 spring-security 以从 request-body 读取参数.这是通过将以下行添加到 request-header 来完成的:

The application logs all requested urls. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs (login=abc&password=123). For this reason I've configured spring-security to read parameters from request-body. It's done by adding the following line to the request-header:

'Content-Type': 'application/x-www-form-urlencoded'

正文将是:

{'login':'admin', 'password':'password'}

没关系，但 QA 强制我禁用通过 url 参数进行身份验证的可能性.目前，对以下 URL 的 POST 也将进行身份验证:

It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:

https://example.com/foo?login=admin&password=password

有人知道禁用此选项的技巧吗?最好有注释.

Does anyone know a trick to disable this option? With an annotation preferably.

由于评论，我决定为我的问题添加更多细节.我的 spring-security 是用 WebSecurityConfigurerAdapter 配置的.我有

Due to the comment I decided to add some more details to my problem. My spring-security is configured with WebSecurityConfigurerAdapter. I have

http.usernameParameter("login")
    .passwordParameter("password")
(...)

这使得 Spring 在参数和正文中搜索登录数据.我希望禁止在 url 中搜索这些参数.

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

推荐答案

这使得 Spring 在参数和正文中搜索登录数据.我希望禁止在 url 中搜索这些参数.

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

我相信这是不可能的，因为这种行为不是由 Spring 而不是 JavaEE 本身实现的.

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter 文档说明:

HttpServletRequest.getParameter doc states:

以字符串形式返回请求参数的值，如果该参数不存在，则返回 null.请求参数是随请求发送的额外信息.对于 HTTP servlet，参数包含在查询字符串或发布的表单数据中.

Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.

但是您可以尝试使用看起来像这样的过滤器来改变它:

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {
    ...

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(
                new HttpServletRequestWrapper(request) {
                    @Override
                    public String getParameter(String name) {
                        if (("login".equals(name) && getQueryString().contains("login"))
                                || ("password".equals(name) && getQueryString().contains("password"))) {
                            return null;
                        } else {
                            return super.getParameter(name);
                        }
                    }
                },
                response
        );
    }
}

EDIT Haim Raman 提出了另一个使用现有过滤器而不是引入新过滤器的解决方案.只有我会建议覆盖 obtainUsername() 和 obtainPassword() 而不是 attemptAuthentication().

EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername() and obtainPassword() instead of attemptAuthentication().

这篇关于如何禁用解析作为 url 参数/从 url 传递的登录参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！