3

我有一个提供身份验证 Web 服务的简单控制器。它接受用户名和密码作为 POST 参数并返回 JSON 结果。因为正在提交密码,所以我不想鼓励任何人在查询字符串上提交它。我想强制它只在请求正文中被接受。这将确保发布值的 ssl 加密。我如何在 Sping MVC 中实现这一点?

@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
    public ResponseEntity<String> handleAuthenticateGet(
            @RequestParam(value = PRAConstants.USERNAME) String username,
            @RequestParam(value = PRAConstants.PASSWORD) String password)
    {
        boolean authSuccess = LDAPUtil.authenticateUser(username, password);
        HttpHeaders responseHeaders = new HttpHeaders();
        responseHeaders.setContentType(MediaType.APPLICATION_JSON);
        return new ResponseEntity<String>("{\"result\":" + authSuccess + "}", responseHeaders, HttpStatus.OK);
    }
}
4

1 回答 1

0

Per Lee Meador,我添加了这个:

boolean authSuccess = false;
// if password is passed on the query string, then always return false. otherwise, go ahead and check with ldap
if ( !StringUtils.contains(request.getQueryString(), PRAConstants.PASSWORD) )
{
    authSuccess = LDAPUtil.authenticateUser(username, password);
}

这对我行得通...

于 2013-08-08T23:06:42.587 回答