我正面临一个安全问题,Chrome开发者工具正在显示这些属性' j_username'和' j_password'作为请求标题中的表单数据下的纯文本。
这是一个旧的应用程序,我们在其中使用带有Spring框架的acegi-security 0.8.2。
我们项目中的解决方法:1。在web.xml中,我们提到过滤器ChannelProcessingFilter作为单独的过滤器,
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.util.FilterChainProxy
</param-value>
</init-param>
</filter>
<filter>
<filter-name>Acegi Channel Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
</init-param>
</filter>
2 ..在applicationContext.xml中,我们定义了ChannelProcessingFilter,
<bean id="channelProcessingFilter" class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.htm*=REQUIRES_SECURE_CHANNEL
/j_acegi_security_check*=REQUIRES_SECURE_CHANNEL
/admin/**=REQUIRES_SECURE_CHANNEL
/**=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager" class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor" class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor" class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>
3.仅通过HTTPS提供登录页面,我们通过生成密钥库并启用了连接器端口=&#34; 8443&#34;来启用SSL / TSL支持。在tomcat服务器的conf / server.xml中 这里面临的问题是,点击j_acegi_security_check请求后,Chrome开发者工具会显示这些属性&#39; j_username&#39;和&#39; j_password&#39;作为请求标题中的表单数据下的纯文本。
我在这里遗漏了什么?请帮助我加密此密码或禁用此属性,如在银行应用程序中实现它