xenteros xenteros - 1 year ago 89
Java Question

How do I disable resolving login parameters passed as url parameters / from the url

The application logs all requested

s. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs
. For this reason I've configured
to read parameters from
. It's done by adding the following line to the

'Content-Type': 'application/x-www-form-urlencoded'

The body will be:

{'login':'admin', 'password':'password'}

It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:


Does anyone know a trick to disable this option? With an annotation preferably.

Due to the comment I decided to add some more details to my problem. My is configured with
. I have


This makes
searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

Answer Source

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter doc states:

Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {

    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
                new HttpServletRequestWrapper(request) {
                    public String getParameter(String name) {
                        if (("login".equals(name) && getQueryString().contains("login"))
                                || ("password".equals(name) && getQueryString().contains("password"))) {
                            return null;
                        } else {
                            return super.getParameter(name);

EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername() and obtainPassword() instead of attemptAuthentication().

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download