How do I disable resolving login parameters passed as url parameters / from the url

by

This makes Spring searching login data in both – parameters and body. I wish to disable searching those parameters in the url.

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter doc states:

Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {
    ...

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(
                new HttpServletRequestWrapper(request) {
                    @Override
                    public String getParameter(String name) {
                        if (("login".equals(name) && getQueryString().contains("login"))
                                || ("password".equals(name) && getQueryString().contains("password"))) {
                            return null;
                        } else {
                            return super.getParameter(name);
                        }
                    }
                },
                response
        );
    }
}

EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername() and obtainPassword() instead of attemptAuthentication().

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. Spring security CORS Filter
  3. How to disable ‘X-Frame-Options’ response header in Spring Security?
  4. How to enable HTTP response caching in Spring Boot
  5. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  6. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  7. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  8. Securing Spring Boot API with API key and secret
  9. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  10. How do I add method based security to a Spring Boot project?
  11. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  12. disabling spring security in spring boot app [duplicate]
  13. Disabling a filter for only a few paths
  14. Spring Boot and multiple external configuration files
  15. Spring Boot, Spring Data JPA with multiple DataSources
  16. Difference between @Mock, @MockBean and Mockito.mock()
  17. Read file from resources folder in Spring Boot
  18. Filter order in spring-boot
  19. No serializer found for class org.hibernate.proxy.pojo.bytebuddy.ByteBuddyInterceptor
  20. Spring-Boot: How do I set JDBC pool properties like maximum number of connections?
  21. Spring Boot: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean
  22. While using Spring Data Rest after migrating an app to Spring Boot, I have observed that entity properties with @Id are no longer marshalled to JSON
  23. How to reinitialize a Spring Bean?
  24. Websocket Authentication and Authorization in Spring
  25. Unit testing with Spring Security
  26. java.lang.IllegalArgumentException: No converter found for return value of type
  27. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  28. How can I run a Spring Boot application on port 80
  29. How to secure REST API with Spring Boot and Spring Security?
  30. Why BCryptPasswordEncoder from Spring generate different outputs for same input?

Leave a Comment