密码以纯文本形式发送到服务器java spring

时间:2015-03-18 18:31:13

标签: java spring spring-mvc spring-security spring-3

我在spring security 3.1中有一个Web应用程序登录表单。登录表单调用j_spring_security_check onsubmit,我有一个自定义auth管理器,它使用github rest api来验证登录。这样做的问题是,当登录信息记录在服务器上时,它们以纯文本格式记录。

发布我的security-context.xml文件

<!-- Custom bean: Auth Manager -->
    <beans:bean id="customAuthmanager" class="com.RRCenter.securityMisc.AuthManager">
    </beans:bean>

    <!-- Failed login bean -->
    <beans:bean id="failedLogin"  class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/reuiweb/login?fail=true"></beans:bean>

    <!-- Successful login bean -->
    <beans:bean id="successLogin" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" p:defaultTargetUrl="/reuiweb/certifybundles?login=true"></beans:bean>

    <!-- <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="passwordEncoder" ref="passwordEncoder"/>
    </beans:bean> -->

    <!-- <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11" />
    </beans:bean> -->

    <!-- Actual auth manager -->
    <beans:bean id="customAuthFilter"  
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthmanager" 
        p:authenticationFailureHandler-ref="failedLogin" 
        p:authenticationSuccessHandler-ref="successLogin"
        p:authenticationDetailsSource-ref="myAuthDetailsSource"
        ></beans:bean> 
        <!-- p:authenticationProvider-ref="daoAuthenticationProvider" -->

     <!-- Auth Details Bean -->
        <beans:bean id="myAuthDetailsSource" class="com.RRCenter.securityMisc.MyAuthDetailsSource"/>


    <!-- Successful login bean -->
    <beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/reuiweb/login" />

    <security:authentication-manager />

    <!-- Test users -->


    <security:http auto-config="false" request-matcher="ant" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint">
        <!-- Enables the 9xxx ports -->
        <security:port-mappings>
            <security:port-mapping http="80" https="443"/>
            <security:port-mapping http="8080" https="8443"/>
            <security:port-mapping http="9080" https="9443"/>
        </security:port-mappings>


    <security:http-basic authentication-details-source-ref="myAuthDetailsSource" />

        <!-- Session management -->

        <security:session-management invalid-session-url="/reuiweb/login">
            <security:concurrency-control max-sessions="99" expired-url="/reuiweb/login" />
        </security:session-management>


        <!-- Security schema -->
        ty:intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
        <security:intercept-url pattern="/reuiweb/certifyProvider" access="ROLE_USER,ROLE_ADMIN"/>
        <security:intercept-url pattern="/**" access="ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN"/>
        <security:logout invalidate-session="true" logout-success-url="/reuiweb/allJobs" logout-url="/reuiweb/logout"/>  
        <security:custom-filter ref="customAuthFilter" position="FORM_LOGIN_FILTER"/>


    </security:http>

我在堆栈溢出中读了几个答案,其中提到我必须使用用户详细信息服务以及密码编码器bean

<bean id="authProvider" 
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="customUserService" />
    <property name="passwordEncoder" ref="encoder" />
  </bean>

但是,daoAuthentication提供程序适用于登录密码存储在数据库中的情况。在REST API服务提供身份验证时,您能告诉我如何实现userdetails服务吗?

1 个答案:

答案 0 :(得分:0)

使用POST方法登录表单:

<form action="j_spring_security_check" method="POST">
  <!-- input fields etc -->
</form>

然后,提交的字段的值不会出现在apache日志中。