Monday, November 28, 2022
HomeJavaLogging Failed and Profitable Authentication Makes an attempt with SpringBoot - Java...

Logging Failed and Profitable Authentication Makes an attempt with SpringBoot – Java Code Geeks


Introduction

Within the newest OWASP high 10 (OWASP High 10:2021) checklist with, the well-known normal consciousness doc for builders and internet utility safety that represents a broad consensus about essentially the most essential safety dangers to internet functions, a talked about is made concerning identification and authentication failures (A07:2021 – Identification and Authentication Failures). Beforehand generally known as “Damaged authentication” it refers back to the risks an internet utility has from week authentication implementations. Bellow I’m going to display the implementation of one of many counter measures which is to have the ability to log authentication makes an attempt whether or not these are profitable or not.

Implementation

In an effort to keep away from boilerplate code I’m utilizing lombok to create the Slf4J logger.

Log Success

The steps are the next

  1. We create a service that “listens” for the success logins
  2. Extract the username
  3. Extract the IP handle
  4. Log it

For step one we have to create a part, lets name it AuthenticationFailureListener that can implement the interface ApplicationListener<AuthenticationFailureBadCredentialsEvent>

There we might want to Autowire an HttpServletRequest so as to get the ip handle. the handle will both be on this object of if the request is coming from a proxy it is going to be extracted from the X-Forwarded-For header.

If we add all that the code ought to be one thing just like the snippet bellow

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.manufacturing unit.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.safety.authentication.occasion.AuthenticationSuccessEvent;
import org.springframework.stereotype.Part;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Part
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {
    @Autowired
    non-public HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent occasion) {
        //get the X-Forwarded-For header in order that we all know if the request is from a proxy
        closing String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            //no proxy
            log.error("Profitable login try for {} from {}", occasion.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            //from proxy
            log.error("Profitable login try for {} from {}", occasion.getAuthentication().getName(), xfHeader.break up(",")[0]);
        }
    }
}

It is best to get a response just like

2022-08-17 01:50:42.325 ERROR 81901 --- [io-8080-exec-10] .d.u.m.m.s.AuthenticationSuccessListener : Profitable login try for alexius from 0:0:0:0:0:0:0:1

Log Failure

  1. We create a service that “listens” for the failed logins
  2. Extract the username
  3. Extract the IP handle
  4. Log it

For step one we have to create a part, lets name it AuthenticationSuccessListener that can implement the interface ApplicationListener<AuthenticationSuccessEvent>

There we might want to Autowire an HttpServletRequest so as to get the ip handle. the handle will both be on this object of if the request is coming from a proxy it is going to be extracted from the X-Forwarded-For header.

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.manufacturing unit.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.safety.authentication.occasion.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Part;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Part
public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

    @Autowired
    non-public HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent occasion) {
        closing String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            log.error("Failed login try for {} from {}", occasion.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            log.error("Failed login try for {} from {}", occasion.getAuthentication().getName(), xfHeader.break up(",")[0]);
        }
    }
}

If we add all that the code ought to be one thing just like the snippet bellow

2022-08-17 02:22:51.377 ERROR 82022 --- [nio-8080-exec-4] .d.u.m.m.s.AuthenticationFailureListener : Failed login try for alexius from 0:0:0:0:0:0:0:1
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments