UsernamePasswordAuthenticationFilter Security Concerns

[springcat]

I'm using UsernamePasswordAuthenticationFilter which, by default, gets username and password from HTTP query params.

I've read a few articles stating that passing query params over HTTPS is not entirely secure because they remain in browser history and many web servers log the full URL including query params in the clear.

I haven't found any information on alternative, more secure methods. I am considering extending UsernamePasswordAuthenticationFilter.attemptAuthen tication and getting the params out of the request body. I believe this approach would work, but I'm surprised that there isn't a more secure solution "out of the box."

1) Are my security concerns valid about HTTP params over HTTPS?
2) If so, is there a better approach than what I've suggested?

[thobson]

Your concerns are valid, however you can set the postOnly property on the filter to prevent credentials being processed if passed as urls parameters, obviously you would have to ensure that you are using POST in your login form as well. I actually think there are wider concerns about relying simply on a username/password combination which I've outlined in this blog post. I think strong authentication is the way to go, and it's a lot chapter these days.