Shulou(Shulou.com)06/03 Report--

This article will explain in detail how SpringSecurity implements the account locking function after multiple login failures. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

I. Review of basic knowledge

To achieve multiple login failure account locking, we need to review the basics:

Spring Security does not require us to implement the login authentication logic ourselves, but instead informs Spring Security about users, roles, and permissions by implementing the UserDetails and UserDetailsService interfaces. The specific login authentication logic Spring Security will help us to implement. There is a method called isAccountNonLocked () in the UserDetails interface to determine whether the account is locked, that is, we should tell Spring Security that the login account is locked through the corresponding set method setAccountNonLocked (false) of this method. So where should I determine the number of account login failures and implement the locking mechanism? Of course, it is the AuthenticationFailureHandler of "custom login success and failure result handling" introduced to you in our previous article.

It is recommended that you read this article first, and if you are confused about the implementation process of this article, it is recommended that you look at the relevant content before this number.

Second, the principle of realizing multiple login failure locking

Generally speaking, to achieve this requirement, we need to record the number of login failures (nLock) and the expiration time (releaseTime) of locked accounts for each user. Whether you store these two pieces of information in mysql, file, redis, etc., depends entirely on your judgment on the applicability of your application architecture. The specific implementation logic is nothing more than:

After the login failed, take the nLock from the storage and add 1. If nLock is greater than the login failure threshold (for example, 3 times), set nLock=0, and then set releaseTime to the current time plus lock cycle. Inform Spring Security that the login account is locked through setAccountNonLocked (false). If the nLock is less than or equal to 1, save the nLock again. Reset the locked state to setAccountNonLocked (true) at an appropriate time.

This is a very typical way of implementation, the author introduces a very useful open source software called: ratelimitj. The main function of this software is to limit the flow of API access, that is to say, you can limit the access frequency of the API interface by making rules. It just so happens that the login verification interface is also a kind of API, and we also need to limit the number of visits to it within a certain period of time.

III. Concrete realization

First of all, we need to introduce ratelimitj into our application through maven coordinates. We use the memory storage version and the redis storage version, which you can choose according to your own application.

Es.moki.ratelimitj ratelimitj-inmemory 0.4.1

The onAuthenticationFailure method is then implemented by inheriting SimpleUrlAuthenticationFailureHandler. This implementation deals with the results of login failures, which we have talked about in our previous article.

@ Componentpublic class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {@ Autowired UserDetailsManager userDetailsManager; / / Rule definition: the current restriction behavior is triggered by five opportunities within an hour: Set rules = Collections.singleton (RequestLimitRule.of (1 * 60, TimeUnit.MINUTES,5)); RequestRateLimiter limiter = new InMemorySlidingWindowRequestRateLimiter (rules) @ Override public void onAuthenticationFailure (HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {String userId = / / get the login user name / / counter plus 1 from request or request.getSession, and determine whether the user has triggered the locking rule boolean reachLimit = limiter.overLimitWhenIncremented (userId); if (reachLimit) {/ / if the locking rule is triggered, tell Spring Security to lock the account user.setAccountNonLocked (false); userDetailsManager.updateUser (user) through UserDetails SysUser user = (SysUser) userDetailsManager.loadUserByUsername (userId);} / / omit the json or html response via response}}

The core implementation pays attention to the comments in the code

The SysUser in the code is the implementation class of UserDetails. If you don't know how to implement it, please refer to the previous article of this number.

UserDetailsManager is used to manage UserDetails information and change the Spring Security authentication behavior by changing the UserDetails.

IV. Timing for resetting the locked state

User.setAccountNonLocked (true)

It's easy to reset the lock state, which is the code above. But what is more important is how to choose the time to reset the locked state. The author can think of several schemes as follows

The next time you log in, customize the filter and add it to the front of the Spring Boot filter chain to reset the lock state. When the login account is locked, each login of the user will throw a LockedException. We can capture LockedException through the global exception capture mechanism of Spring Boot, and do the judgment and reset behavior of locking state. Write a Spring timer poll, which is, of course, the worst option.

This is the end of the article on "how to achieve account locking after multiple login failures in SpringSecurity". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.