xenteros xenteros - 3 months ago 11
Java Question

Disable resolving login parameters passed as url parameters

The application logs all requested

url
s. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs
login
and
password
. For this reason I've configured
spring-security
to read parameters from
request-body
. It's done by adding the following line to the
request-header
:

'Content-Type': 'application/x-www-form-urlencoded'


The body will be:

{'login':'admin', 'password':'password'}


It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:

https://example.com/foo?login=admin&password=password


Does anyone know a trick to disable this option? Via annotation preferably.

Due to the comment I decided to add some more details to my problem. My is configured with
WebSecurityConfigurerAdapter
. I have

http.usernameParameter("login")
.passwordParameter("password")
(...)


This makes
Spring
searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

Answer

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter doc states:

Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {
    ...

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(
                new HttpServletRequestWrapper(request) {
                    @Override
                    public String getParameter(String name) {
                        if (("login".equals(name) && getQueryString().contains("login"))
                                || ("password".equals(name) && getQueryString().contains("password"))) {
                            return null;
                        } else {
                            return super.getParameter(name);
                        }
                    }
                },
                response
        );
    }
}
Comments