如何禁用从url中作为url parameters /传递的解析登录参数 [英] How do I disable resolving login parameters passed as url parameters / from the url

问题描述

应用程序记录所有请求的 url s。这意味着，关键是不要使用url参数进行身份验证，因为这会导致日志中充满了对的情况（login = abc& password = 123）。出于这个原因，我已经配置 spring-security 来从 request-body 中读取参数。通过将以下行添加到请求标头来完成：

The application logs all requested urls. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs (login=abc&password=123). For this reason I've configured spring-security to read parameters from request-body. It's done by adding the following line to the request-header:

'Content-Type': 'application/x-www-form-urlencoded'

正文将是：

{'login':'admin', 'password':'password'}

没关系，但QA强迫我通过url参数禁用身份验证的可能性。目前，对以下网址的POST也会进行身份验证：

It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:

https://example.com/foo?login=admin&password=password

有没有人知道禁用此选项的技巧？最好使用注释。

Does anyone know a trick to disable this option? With an annotation preferably.

由于评论我决定在我的问题中添加更多细节。我的 spring-security 已配置为 WebSecurityConfigurerAdapter 。我有

Due to the comment I decided to add some more details to my problem. My spring-security is configured with WebSecurityConfigurerAdapter. I have

http.usernameParameter("login")
    .passwordParameter("password")
(...)

这使得 Spring 搜索登录数据 - 参数和正文。我希望禁用在网址中搜索这些参数。

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

推荐答案

这使得Spring搜索登录数据两者 - 参数和身体。我希望禁用在网址中搜索这些参数。

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

我认为这是不可能的，因为Spring没有实现这种行为而不是JavaEE本身。

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter doc说明：

HttpServletRequest.getParameter doc states:

返回值请求参数为String，如果参数不存在，则为null。请求参数是随请求一起发送的额外信息。对于HTTP servlet，参数包含在查询字符串或发布的表单数据中。

但是你可以尝试使用看起来像这样的过滤器来改变它：

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {
    ...

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(
                new HttpServletRequestWrapper(request) {
                    @Override
                    public String getParameter(String name) {
                        if (("login".equals(name) && getQueryString().contains("login"))
                                || ("password".equals(name) && getQueryString().contains("password"))) {
                            return null;
                        } else {
                            return super.getParameter(name);
                        }
                    }
                },
                response
        );
    }
}

编辑 Haim Raman 提出另一个解决方案使用现有过滤器而不是引入新过滤器。只有我建议覆盖 obtainUsername（）和 obtainPassword（）而不是 attemptAuthentication（）。

EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername() and obtainPassword() instead of attemptAuthentication().

这篇关于如何禁用从url中作为url parameters /传递的解析登录参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！