Spring Security可以为您做很多事情。
帐户被封锁,密码盐。 但是蛮力阻断剂呢?
那是你必须自己做的。
幸运的是,Spring是一个非常灵活的框架,因此对其进行配置并不是什么大问题。
让我向您展示一些如何针对Grails应用程序执行此操作的指南。
首先,您必须在config.groovy中启用springSecurityEventListener
grails.plugins.springsecurity.useSecurityEventListener = true 然后实现监听器
在/ src / bruteforce中创建类
/**
Registers all failed attempts to login. Main purpose to count attempts for particular account ant block user
*/
class AuthenticationFailureListener implements ApplicationListener {
LoginAttemptCacheService loginAttemptCacheService
@Override
void onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) {
loginAttemptCacheService.failLogin(e.authentication.name)
}
} 接下来,我们必须创建用于成功登录的侦听器
在同一包装中
/**
Listener for successfull logins. Used for reseting number on unsuccessfull logins for specific account
*/
class AuthenticationSuccessEventListener implements ApplicationListener{
LoginAttemptCacheService loginAttemptCacheService
@Override
void onApplicationEvent(AuthenticationSuccessEvent e) {
loginAttemptCacheService.loginSuccess(e.authentication.name)
}
} 我们没有将它们放在grails-app文件夹中,因此我们需要将这些类作为spring bean重新命名。
在grails-app / conf / spring / resources.groovy中添加下一行
beans = {
authenticationFailureListener(AuthenticationFailureListener) {
loginAttemptCacheService = ref('loginAttemptCacheService')
}
authenticationSuccessEventListener(AuthenticationSuccessEventListener) {
loginAttemptCacheService = ref('loginAttemptCacheService')
}
} 您可能会注意到LoginAttemptCacheService loginAttemptCacheService的用法
让我们实现它。 这将是典型的grails服务
package com.picsel.officeanywhere
import com.google.common.cache.CacheBuilder
import com.google.common.cache.CacheLoader
import com.google.common.cache.LoadingCache
import java.util.concurrent.TimeUnit
import org.apache.commons.lang.math.NumberUtils
import javax.annotation.PostConstruct
class LoginAttemptCacheService {
private LoadingCache
attempts;
private int allowedNumberOfAttempts
def grailsApplication
@PostConstruct
void init() {
allowedNumberOfAttempts = grailsApplication.config.brutforce.loginAttempts.allowedNumberOfAttempts
int time = grailsApplication.config.brutforce.loginAttempts.time
log.info 'account block configured for $time minutes'
attempts = CacheBuilder.newBuilder()
.expireAfterWrite(time, TimeUnit.MINUTES)
.build({0} as CacheLoader);
}
/**
* Triggers on each unsuccessful login attempt and increases number of attempts in local accumulator
* @param login - username which is trying to login
* @return
*/
def failLogin(String login) {
def numberOfAttempts = attempts.get(login)
log.debug 'fail login $login previous number for attempts $numberOfAttempts'
numberOfAttempts++
if (numberOfAttempts > allowedNumberOfAttempts) {
blockUser(login)
attempts.invalidate(login)
} else {
attempts.put(login, numberOfAttempts)
}
}
/**
* Triggers on each successful login attempt and resets number of attempts in local accumulator
* @param login - username which is login
*/
def loginSuccess(String login) {
log.debug 'successfull login for $login'
attempts.invalidate(login)
}
/**
* Disable user account so it would not able to login
* @param login - username that has to be disabled
*/
private void blockUser(String login) {
log.debug 'blocking user: $login'
def user = User.findByUsername(login)
if (user) {
user.accountLocked = true;
user.save(flush: true)
}
}
}我们将使用Google番石榴库中的CacheBuilder。 因此,将下一行添加到BuildConfig.groovy
dependencies {
runtime 'com.google.guava:guava:11.0.1'
}最后一步,将服务配置添加到cinfig.groovy
brutforce {
loginAttempts {
time = 5
allowedNumberOfAttempts = 3
} 就是这样,您准备运行您的应用程序。
对于典型的Java项目,几乎一切都是一样的。 相同的侦听器和相同的服务。
有关Spring Security Events的更多信息 有关使用Google番石榴进行缓存的更多信息
Grails用户可以简单地使用此插件https://github.com/grygoriy/bruteforcedefender
祝您编程愉快,别忘了分享!
参考: Grygoriy Mykhalyuno博客博客中的JCG合作伙伴 Grygoriy Mykhalyuno 使用Spring Security防止暴力攻击 。
翻译自: https://www.javacodegeeks.com/2012/10/spring-security-prevent-brute-force.html
727
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
