4

I want to trigger an event if there is an invalid credential,in my code it goes to orelsethrow block(trying to achieve account lock).Is it possible to catch the exception thrown from "org.springframework.security.core.userdetails.User(lowercaseLogin, user.getPassword(),grantedAuthorities)" so that I can trigger an event which handles account lock

I have created a custom event handler(AuthenticationFailureEventListener din't work) to lock account after 3 or 5 attempts.I am using jhipster UAA

   Optional<User> userFromDatabase = userRepository.findOneWithAuthoritiesByLogin(lowercaseLogin);

            return userFromDatabase.map(user -> {
                if (!user.getActivated()) {
                    log.info("User " + login + " was not activated");
                    throw new UserNotActivatedException("User " + lowercaseLogin + " was not activated");

                }
                List<GrantedAuthority> grantedAuthorities = user.getAuthorities().stream()
                        .map(authority -> new SimpleGrantedAuthority(authority.getName())).collect(Collectors.toList());

                return new org.springframework.security.core.userdetails.User(lowercaseLogin, user.getPassword(),
                        grantedAuthorities);
    })

        .orElseThrow(
                        () -> new UsernameNotFoundException("User " + lowercaseLogin + " was not found in the " + "database"));

------- Account Lock Class

     @Service
public class AccountLockService {
    private final int MAX_ATTEMPT = 3;
    private LoadingCache<String, Integer> attemptsCache;

    public AccountLockService() {
        super();
        attemptsCache = CacheBuilder.newBuilder().
          expireAfterWrite(1, TimeUnit.MINUTES).build(new CacheLoader<String, Integer>() {
            public Integer load(String key) {
                return 0;
            }
        });
    }


    public void loginFailed(String key) {
        int attempts = 0;
        try {
            attempts = attemptsCache.get(key);
        } catch (ExecutionException e) {
            attempts = 0;
        }
        attempts++;
        attemptsCache.put(key, attempts);
    }

    public boolean isBlocked(String key) {
        try {
            return attemptsCache.get(key) >= MAX_ATTEMPT;
        } catch (ExecutionException e) {
            return false;
        }
    }
}

----Custom Listener

@Component
public class CustomCreatedEventListener {
    @Autowired
    private AccountLockService accountLockService;

    @Autowired
    private HttpServletRequest request;

    public CustomCreatedEventListener(AccountLockService accountLockService, HttpServletRequest request) {
        this.accountLockService = accountLockService;
        this.request = request;
    }

    @EventListener
    public void accountLock(Authentication auth) {

        String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null) {
            xfHeader = request.getRemoteAddr();
        }
        xfHeader = xfHeader.split(",")[0];

        accountLockService.loginFailed(xfHeader);
    }
}
Anuradha Neeraje
  • 41
  • 3
  • I have tried implementing AuthenticationFailureEventListener (https://www.baeldung.com/spring-security-block-brute-force-authentication-attempts) but the event wasn't getting triggered. – Anuradha Neeraje Mar 27 '19 at 11:25
  • I have tried the same,but my code within the listener doesn't get called for wrong credentials – Anuradha Neeraje Mar 28 '19 at 04:05
  • What do you mean by: Is it possible to catch the exception thrown from "org.springframework.security.core.userdetails.User(lowercaseLogin, user.getPassword(),grantedAuthorities)"? Only IllegalArgumentException is thrown if null values are passed. – Patrice Blanchardie Apr 21 '19 at 16:33

0 Answers0