Introduction
Within the newest OWASP high 10 (OWASP High 10:2021) checklist with, the well-known normal consciousness doc for builders and internet utility safety that represents a broad consensus about essentially the most essential safety dangers to internet functions, a talked about is made concerning identification and authentication failures (A07:2021 – Identification and Authentication Failures). Beforehand generally known as “Damaged authentication” it refers back to the risks an internet utility has from week authentication implementations. Bellow I’m going to display the implementation of one of many counter measures which is to have the ability to log authentication makes an attempt whether or not these are profitable or not.
Implementation
In an effort to keep away from boilerplate code I’m utilizing lombok to create the Slf4J logger.
Log Success
The steps are the next
- We create a service that “listens” for the success logins
- Extract the username
- Extract the IP handle
- Log it
For step one we have to create a part, lets name it AuthenticationFailureListener that can implement the interface ApplicationListener<AuthenticationFailureBadCredentialsEvent>
There we might want to Autowire an HttpServletRequest so as to get the ip handle. the handle will both be on this object of if the request is coming from a proxy it is going to be extracted from the X-Forwarded-For header.
If we add all that the code ought to be one thing just like the snippet bellow
import lombok.extern.slf4j.Slf4j; import org.springframework.beans.manufacturing unit.annotation.Autowired; import org.springframework.context.ApplicationListener; import org.springframework.safety.authentication.occasion.AuthenticationSuccessEvent; import org.springframework.stereotype.Part; import javax.servlet.http.HttpServletRequest; @Slf4j @Part public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> { @Autowired non-public HttpServletRequest request; @Override public void onApplicationEvent(AuthenticationSuccessEvent occasion) { //get the X-Forwarded-For header in order that we all know if the request is from a proxy closing String xfHeader = request.getHeader("X-Forwarded-For"); if (xfHeader == null){ //no proxy log.error("Profitable login try for {} from {}", occasion.getAuthentication().getName(), request.getRemoteAddr()); } else { //from proxy log.error("Profitable login try for {} from {}", occasion.getAuthentication().getName(), xfHeader.break up(",")[0]); } } }
It is best to get a response just like
2022-08-17 01:50:42.325 ERROR 81901 --- [io-8080-exec-10] .d.u.m.m.s.AuthenticationSuccessListener : Profitable login try for alexius from 0:0:0:0:0:0:0:1
Log Failure
- We create a service that “listens” for the failed logins
- Extract the username
- Extract the IP handle
- Log it
For step one we have to create a part, lets name it AuthenticationSuccessListener that can implement the interface ApplicationListener<AuthenticationSuccessEvent>
There we might want to Autowire an HttpServletRequest so as to get the ip handle. the handle will both be on this object of if the request is coming from a proxy it is going to be extracted from the X-Forwarded-For header.
import lombok.extern.slf4j.Slf4j; import org.springframework.beans.manufacturing unit.annotation.Autowired; import org.springframework.context.ApplicationListener; import org.springframework.safety.authentication.occasion.AuthenticationFailureBadCredentialsEvent; import org.springframework.stereotype.Part; import javax.servlet.http.HttpServletRequest; @Slf4j @Part public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> { @Autowired non-public HttpServletRequest request; @Override public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent occasion) { closing String xfHeader = request.getHeader("X-Forwarded-For"); if (xfHeader == null){ log.error("Failed login try for {} from {}", occasion.getAuthentication().getName(), request.getRemoteAddr()); } else { log.error("Failed login try for {} from {}", occasion.getAuthentication().getName(), xfHeader.break up(",")[0]); } } }
If we add all that the code ought to be one thing just like the snippet bellow
2022-08-17 02:22:51.377 ERROR 82022 --- [nio-8080-exec-4] .d.u.m.m.s.AuthenticationFailureListener : Failed login try for alexius from 0:0:0:0:0:0:0:1