我有一个提供身份验证Web服务的简单控制器。它接受用户名和密码作为POST参数并返回JSON结果。由于密码正在提交,我不想鼓励任何人在查询字符串上提交密码。我想强制它只在请求正文中被接受。这将确保发布值的ssl加密。我如何在Sping MVC中实现这一目标?
@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
public ResponseEntity<String> handleAuthenticateGet(
@RequestParam(value = PRAConstants.USERNAME) String username,
@RequestParam(value = PRAConstants.PASSWORD) String password)
{
boolean authSuccess = LDAPUtil.authenticateUser(username, password);
HttpHeaders responseHeaders = new HttpHeaders();
responseHeaders.setContentType(MediaType.APPLICATION_JSON);
return new ResponseEntity<String>("{\"result\":" + authSuccess + "}", responseHeaders, HttpStatus.OK);
}
}
答案 0 :(得分:0)
Per Lee Meador,我补充说:
boolean authSuccess = false;
// if password is passed on the query string, then always return false. otherwise, go ahead and check with ldap
if ( !StringUtils.contains(request.getQueryString(), PRAConstants.PASSWORD) )
{
authSuccess = LDAPUtil.authenticateUser(username, password);
}
对我有用......