Is HTTP Basic Authentication in Spring security safe from SQL Injection

I am u开发者_如何学Pythonsing HTTP Basic Authentication in my Spring MVC project. Is Spring's authentication protected from SQL Injection?

Can any expert provide a statement on this? Or provide links to a statement.

---

In agreement with Simeon, it is as safe as any underlying customizations you have applied to the standard framework.

The standard framework implementation of JdbcDaoImpl uses PreparedStatements for all JDBC access, which should protect against SQL injection attacks, even if you modify the queries. If you extend it or write your own implementation, however, all bets are off.

From an architectural perspective, your question is not entirely accurate - the method of passing authentication credentials (basic, in your case) doesn't directly impact what actually reaches the database. There is a good layer of abstraction between the receipt and verification of credentials. I would suggest consulting the Spring Security documentation to understand why this is so.

---

How are you checking user credentials ?

If you are using a UserDetailsService to check user credentials against a DB then the responsibility to protect yourself against injections falls to you, since you are building the query.