[英]Spring OAuth2 security concerns
I am currently implementing Authorization_Code type OAuth2 flow to have single-sign-on (SSO) on my website.我目前正在实施 Authorization_Code 类型的 OAuth2 流程,以便在我的网站上进行单点登录 (SSO)。
Here is my code that enables it.这是我启用它的代码。
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.antMatchers("/login", "/authorize", "/error")
.permitAll()
.anyRequest()
.authenticated()
.and().formLogin().loginPage("https://sso.mywebsite.com").loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/success",true)
.failureUrl("/error").permitAll()
.and()
.csrf()
.disable();
// @formatter:on
}
My concern is described below.我的担忧如下所述。
To make a login request (with username and password), sso.mywebsite.com should make a POST request to my oAuth service - http://oauth/perform_login?username=USERNAME&password=PASSWORD .要发出登录请求(使用用户名和密码), sso.mywebsite.com 应该向我的 oAuth 服务发出 POST 请求 - http://oauth/perform_login?username=USERNAME&password=PASSWORD 。
I tried it with Postman and it works.我用 Postman 试了一下,效果很好。 However, isn't this a security problem to send plain username and password like above in query param?
但是,在查询参数中发送像上面这样的普通用户名和密码不是一个安全问题吗? I thought exposing user credential in uri (query param) could get captured by various network sniffing tools.
我认为在 uri(查询参数)中公开用户凭据可能会被各种网络嗅探工具捕获。
Is there a way to do this in different method?有没有办法以不同的方法做到这一点?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.