Spring MVC:如何在请求体中要求POST参数并忽略查询字符串参数?

时间:2013-08-08 22:52:20

标签: security authentication spring-mvc

我有一个提供身份验证Web服务的简单控制器。它接受用户名和密码作为POST参数并返回JSON结果。由于密码正在提交,我不想鼓励任何人在查询字符串上提交密码。我想强制它只在请求正文中被接受。这将确保发布值的ssl加密。我如何在Sping MVC中实现这一目标?

@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
    public ResponseEntity<String> handleAuthenticateGet(
            @RequestParam(value = PRAConstants.USERNAME) String username,
            @RequestParam(value = PRAConstants.PASSWORD) String password)
    {
        boolean authSuccess = LDAPUtil.authenticateUser(username, password);
        HttpHeaders responseHeaders = new HttpHeaders();
        responseHeaders.setContentType(MediaType.APPLICATION_JSON);
        return new ResponseEntity<String>("{\"result\":" + authSuccess + "}", responseHeaders, HttpStatus.OK);
    }
}

1 个答案:

答案 0 :(得分:0)

Per Lee Meador,我补充说:

boolean authSuccess = false;
// if password is passed on the query string, then always return false. otherwise, go ahead and check with ldap
if ( !StringUtils.contains(request.getQueryString(), PRAConstants.PASSWORD) )
{
    authSuccess = LDAPUtil.authenticateUser(username, password);
}

对我有用......