I'm using UsernamePasswordAuthenticationFilter which, by default, gets username and password from HTTP query params.
I've read a few articles stating that passing query params over HTTPS is not entirely secure because they remain in browser history and many web servers log the full URL including query params in the clear.
I haven't found any information on alternative, more secure methods. I am considering extending UsernamePasswordAuthenticationFilter.attemptAuthen tication and getting the params out of the request body. I believe this approach would work, but I'm surprised that there isn't a more secure solution "out of the box."
1) Are my security concerns valid about HTTP params over HTTPS?
2) If so, is there a better approach than what I've suggested?