The application logs all requested url
s. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs (login=abc&password=123)
. For this reason I've configured spring-security
to read parameters from request-body
. It's done by adding the following line to the request-header
:
'Content-Type': 'application/x-www-form-urlencoded'
The body will be:
{'login':'admin', 'password':'password'}
It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:
https://example.com/foo?login=admin&password=password
Does anyone know a trick to disable this option? With an annotation preferably.
Due to the comment I decided to add some more details to my problem. My spring-security
is configured with WebSecurityConfigurerAdapter
. I have
http.usernameParameter("login")
.passwordParameter("password")
(...)
This makes Spring
searching login data in both - parameters and body. I wish to disable searching those parameters in the url.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…