This makes Spring searching login data in both – parameters and body. I wish to disable searching those parameters in the url.
I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.
HttpServletRequest.getParameter doc states:
Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.
But you can try to alter this with filter that should look something like this:
public class DisableGetAuthFiler extends OncePerRequestFilter {
...
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
filterChain.doFilter(
new HttpServletRequestWrapper(request) {
@Override
public String getParameter(String name) {
if (("login".equals(name) && getQueryString().contains("login"))
|| ("password".equals(name) && getQueryString().contains("password"))) {
return null;
} else {
return super.getParameter(name);
}
}
},
response
);
}
}
EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername()
and obtainPassword()
instead of attemptAuthentication()
.