AppScan已解密的登陆请求 用RSA加密之后 问题没有解决

下面是登陆页面 和 登陆action (用的是9.0.3.1版本扫描)
function doSubmit(){
if(userLogin()) {
var password = $('#password').val();
var randCode = $('#randCode').val();
var usercode = $('#usercode').val();
var modulus = '${modulus}';
var exponent = '${exponent}';
var key = RSAUtils.getKeyPair(exponent, '', modulus);
var tPassword = RSAUtils.encryptedString(key, password);
var uname = RSAUtils.encryptedString(key, usercode);
$('#password').val(tPassword);
$('#kpassword').val(tPassword);
$('#username').val(uname);

document.forms[0].submit();
}
}
function closeMarquee(x){
$(x).parent().hide();
}
</script>

</head>
<body onload="loadRandCode()">
<marquee direction="left" onMouseOut="this.start()" onMouseOver="this.stop()" style="color:red;font-size:18px;">
<label style="cursor: pointer;" onclick="closeMarquee(this)" title="点击关闭">x</label>  
注意：本系统支持谷歌浏览器以及IE9.0以上版本的浏览器，请您下载对应的浏览器版本操作系统。    
<a href="http://dl-sh-ctc-2.pchome.net/02/kx/IE10-Windows6.1-x64-zh-cn.rar" title="点击下载">
点击下载IE-10.0
</a>
    
<a href="http://172.172.88.88/sw-search-sp/soft/9d/14744/ChromeStandalone_46.0.2490.86_Setup.1447296650.exe" title="点击下载">
点击下载谷歌
</a>
</marquee>


<form id="login" name="login" action='${path }/Login_login.do' method="post" style="width: 100%; height: 100%;">
<input type="hidden" name="sessionid" id="sessionid" value="${sessionid }" />
<input type=hidden id="ssid" name="ssid" value="<%=request.getSession().getId()%>">
<input type=hidden id="kpassword" name="kpassword">
<input type=hidden id="username" name="username">
<%--<input type="hidden" name="<%=Token.TOKEN_STRING_NAME %>" value="<%=Token.getTokenString(session) %>"> --%>
<div class="gFrame">
<div class="loginDiv">
<table style="line-height: 40PX; margin: auto;">
<tr>
<td colspan="2">
<font color="#ff0000"><span id="error"> ${error}</span> </font>
<br />
</td>
</tr>
<tr>
<td nowrap="nowrap">
<label class="loginLable">用户名:</label>
</td>
<td>
<s:textfield id="usercode" cssClass="ipt" tabindex="1"></s:textfield>
</td>
</tr>
<tr>
<td nowrap="nowrap">
<label class="loginLable">密   码:</label>
</td>
<td>
<%--
<s:password name="password" id="password" cssClass="ipt" tabindex="2" autocomplete="off"></s:password>
--%>
<input type="password" id="password" class="ipt" tabindex="2" autocomplete="off" />
</td>
</tr>
<tr>
<td nowrap="nowrap">
<label class="loginLable">验证码:</label>
</td>
<td align="left">
<input type="text" name="randCode" id="randCode" class="ipt" tabindex="3" maxlength="4" value="" />
<img id="randCodeImg" style="vertical-align: middle;" onclick="changeValidateCode(this)" />
</td>
</tr>
<tr>
<td colspan="2" style="text-align: center;">
<input type="button" onclick="doSubmit();" class="btn" name="smt" id="ips" value="" />
<input type="button" onclick="doReset();" class="btn" name="smt" id="ipr" value="" />
</td>
</tr>
</table>
</div>
</div>
</form>




下面是登陆方法
/**
* 用户登录
*
* @return
*/
public String login() {
// if(Token.isTokenStringValid(request.getParameter(Token.TOKEN_STRING_NAME), request.getSession())){
usercode = username;
password = kpassword;
try {
//跨站点请求伪造
if (request.getHeader("Referer") != null && request.getHeader("Referer").indexOf(request.getHeader("Host")) == -1) {
return ERROR;
}
if (session.get("loginUser") != null) {
TSysUser tSysUser = (TSysUser) session.get("loginUser");
initLoginUserInfo(tSysUser);
/*if (request.getHeader("Referer") == null) {
return ERROR;
}*/
if (request.getHeader("Referer") != null && request.getHeader("Referer").indexOf(request.getHeader("Host")) == -1) {
return ERROR;
}

//RSA加密，获得公钥
RSAPublicKey publicKey = RSAUtils.getDefaultPublicKey();
request.setAttribute("modulus",new String(Hex.encodeHex(publicKey.getModulus().toByteArray())));
request.setAttribute("exponent", new String(Hex.encodeHex(publicKey.getPublicExponent().toByteArray())));

request.setAttribute("menuflag", "busiProcess");
//request.setAttribute("mailCount", getMailCount(tSysUser));
return SUCCESS;
/*
* request.setAttribute("mailCount", getMailCount((TSysUser) session.get("loginUser")));
* return SUCCESS;
*/
}

// 如果用户名或者密码为空返回到登录页面
if (!TypeFormat.isNotEmptyorNull(this.usercode) || !TypeFormat.isNotEmptyorNull(this.password)
//|| !TypeFormat.isNotEmptyorNull(this.randCode)
){
request.setAttribute("error", "请输入用户名、密码和验证码!");
return INPUT;
}
if(!randCode.equalsIgnoreCase((String)session.get("randCode"))){
request.setAttribute("error", "验证码输入错误!");
return INPUT;
}

// 封装用户登录信息
TSysUser tSysUser = new TSysUser();

tSysUser.setUsercode(RSAUtils.decryptStringByJs(usercode));
//tSysUser.setPassword(password);

tSysUser.setPassword(RSAUtils.decryptStringByJs(kpassword));

//tSysUser.setPassword(password);
tSysUser.setLoginip(request.getRemoteHost());
// 调用登录业务逻辑 防止多次登录 5次以上锁住十分钟
tSysUser = this.useTSysUserService.login(tSysUser);
// 用户登录验证成功
if (tSysUser != null) {
logger.info("用户" + tSysUser.getUsercode() + "于" + TypeFormat.getDateFormat(new Date()) + "在主机" + request.getRemoteHost() + "成功登陆");
// 把用户的主要信息存入Session会话
session.put("loginUser", tSysUser);
// 初始化用户登录信息
initLoginUserInfo(tSysUser);
// 查询用户邮件信息
//request.setAttribute("mailCount", getMailCount(tSysUser));

//RSA加密，获得公钥
RSAPublicKey publicKey = RSAUtils.getDefaultPublicKey();
request.setAttribute("modulus",new String(Hex.encodeHex(publicKey.getModulus().toByteArray())));
request.setAttribute("exponent", new String(Hex.encodeHex(publicKey.getPublicExponent().toByteArray())));

request.setAttribute("menuflag", "busiProcess");
return SUCCESS;
}
} catch (LoginException le) {
switch (le.getErrorCode()) {
case LoginException.UN_PWD_ERROR: {
logger.info("用户名或者密码错误");
request.setAttribute("error", "用户名或者密码错误!");
break;
}
case LoginException.DISABALE: {
logger.info("用户已被禁用");
request.setAttribute("error", "用户已被禁用,请与管理员联系!");
break;
}
}
} catch (Exception e) {
e.printStackTrace();
return ERROR;

}
return INPUT;
// }else{
// return ERROR;
// }
}