How do I disable resolving login parameters passed as url parameters / from the url

Question

The application logs all requested urls. This means, that it's critical not to authenticate using url parameters, because it would cause the situation in which logs are full of pairs (login=abc&password=123). For this reason I've configured spring-security to read parameters from request-body. It's done by adding the following line to the request-header:

'Content-Type': 'application/x-www-form-urlencoded' 

The body will be:

{'login':'admin', 'password':'password'} 

It's fine, but the QA forces me to disable the possibility of authentication via url paramters. At the moment a POST to the following URL will also authenticate:

https://example.com/foo?login=admin&password=password 

Does anyone know a trick to disable this option? With an annotation preferably.

Due to the comment I decided to add some more details to my problem. My spring-security is configured with WebSecurityConfigurerAdapter. I have

http.usernameParameter("login")     .passwordParameter("password") (...) 

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

Answer 1

This makes Spring searching login data in both - parameters and body. I wish to disable searching those parameters in the url.

I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself.

HttpServletRequest.getParameter doc states:

Returns the value of a request parameter as a String, or null if the parameter does not exist. Request parameters are extra information sent with the request. For HTTP servlets, parameters are contained in the query string or posted form data.

But you can try to alter this with filter that should look something like this:

public class DisableGetAuthFiler extends OncePerRequestFilter {     ...      @Override     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {         filterChain.doFilter(                 new HttpServletRequestWrapper(request) {                     @Override                     public String getParameter(String name) {                         if (("login".equals(name) && getQueryString().contains("login"))                                 || ("password".equals(name) && getQueryString().contains("password"))) {                             return null;                         } else {                             return super.getParameter(name);                         }                     }                 },                 response         );     } } 

EDIT Haim Raman proposed another solution that uses existing filter instead of introducing a new one. Only I would suggest overriding obtainUsername() and obtainPassword() instead of attemptAuthentication().