Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE

1. Overview

In this quick tutorial, we'll implement a basic solution for preventing brute force authentication attempts using Spring Security.

Simply put – we'll keep a record of the number of failed attempts originating from a single IP address. If that particular IP goes over a set number of requests – it will be blocked for 24 hours.

Further reading:

Introduction to Spring Method Security

A guide to method-level security using the Spring Security framework.

A Custom Filter in the Spring Security Filter Chain

A quick guide to show steps to add custom filter in Spring Security context.

Spring Security 5 for Reactive Applications

A quick and practical example of Spring Security 5 framework's features for securing reactive applications.

2. An AuthenticationFailureListener

Let's start by defining an AuthenticationFailureListener – to listen to AuthenticationFailureBadCredentialsEvent events and notify us of an authentication failure:

@Component
public class AuthenticationFailureListener implements 
  ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

    @Autowired
    private HttpServletRequest request;

    @Autowired
    private LoginAttemptService loginAttemptService;

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) {
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null || xfHeader.isEmpty() || !xfHeader.contains(request.getRemoteAddr())) {
            loginAttemptService.loginFailed(request.getRemoteAddr());
        } else {
            loginAttemptService.loginFailed(xfHeader.split(",")[0]);
        }
    }
}

Note how, when authentication fails, we inform the LoginAttemptService of the IP address from where the unsuccessful attempt originated. Here, we get the IP address from the HttpServletRequest bean, which also gives us the originating address in the X-Forwarded-For header for requests that are forwarded by e.g. a proxy server.

We also note that the X-Forwarded-For header is multi-valued and can be tweaked to easily spoof the origin IP. For this reason, we shouldn't assume that the header is trusted; instead, we have to check if it contains the request's remote address first. Otherwise, an attacker could set a different IP than his own at the first index of the header to avoid blocking his own IP. In case we block one of these IP addresses, then the attacker can add another IP address, and so on. This means he could brute-force the header IP address to spoof the request.

3. The LoginAttemptService

Now – let's discuss our LoginAttemptService implementation; simply put – we keep the number of wrong attempts per IP address for 24 hours:

@Service
public class LoginAttemptService {

    private final int MAX_ATTEMPT = 10;
    private LoadingCache<String, Integer> attemptsCache;

    public LoginAttemptService() {
        super();
        attemptsCache = CacheBuilder.newBuilder().
          expireAfterWrite(1, TimeUnit.DAYS).build(new CacheLoader<String, Integer>() {
            public Integer load(String key) {
                return 0;
            }
        });
    }

    public void loginFailed(String key) {
        int attempts = 0;
        try {
            attempts = attemptsCache.get(key);
        } catch (ExecutionException e) {
            attempts = 0;
        }
        attempts++;
        attemptsCache.put(key, attempts);
    }

    public boolean isBlocked(String key) {
        try {
            return attemptsCache.get(key) >= MAX_ATTEMPT;
        } catch (ExecutionException e) {
            return false;
        }
    }
}

Notice how an unsuccessful authentication attempt increases the number of attempts for that IP, but for the successful authentication the counter will not be reset.

From this point, it's simply a matter of checking the counter when we authenticate.

4. The UserDetailsService

Now, let’s add the extra check in our custom UserDetailsService implementation; when we load the UserDetails, we first need to check if this IP address is blocked:

@Service("userDetailsService")
@Transactional
public class MyUserDetailsService implements UserDetailsService {
 
    @Autowired
    private UserRepository userRepository;
 
    @Autowired
    private RoleRepository roleRepository;
 
    @Autowired
    private LoginAttemptService loginAttemptService;
 
    @Autowired
    private HttpServletRequest request;
 
    @Override
    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
        String ip = getClientIP();
        if (loginAttemptService.isBlocked(ip)) {
            throw new RuntimeException("blocked");
        }
 
        try {
            User user = userRepository.findByEmail(email);
            if (user == null) {
                return new org.springframework.security.core.userdetails.User(
                  " ", " ", true, true, true, true, 
                  getAuthorities(Arrays.asList(roleRepository.findByName("ROLE_USER"))));
            }
 
            return new org.springframework.security.core.userdetails.User(
              user.getEmail(), user.getPassword(), user.isEnabled(), true, true, true, 
              getAuthorities(user.getRoles()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

And here is getClientIP() method:

private String getClientIP() {
    String xfHeader = request.getHeader("X-Forwarded-For");
    if (xfHeader == null || xfHeader.isEmpty() || !xfHeader.contains(request.getRemoteAddr())) {
        return request.getRemoteAddr();
    }
    return xfHeader.split(",")[0];
}

Notice that we have some extra logic to identify the original IP address of the Client. In most cases, that's not going to be necessary, but in some network scenarios, it is.

For these rare scenarios, we're using the X-Forwarded-For header to get to the original IP; here's the syntax for this header:

X-Forwarded-For: clientIpAddress, proxy1, proxy2

Also, notice another super-interesting capability that Spring has – we need the HTTP request, so we're simply wiring it in.

Now, that's cool. We'll have to add a quick listener into our web.xml for that to work, and it makes things a whole lot easier.

<listener>
    <listener-class>
        org.springframework.web.context.request.RequestContextListener
    </listener-class>
</listener>

That's about it – we've defined this new RequestContextListener in our web.xml to be able to access the request from the UserDetailsService.

5. Modify AuthenticationFailureHandler

Finally – let's modify our CustomAuthenticationFailureHandler to customize our new error message.

We're handling the situation when the user actually does get blocked for 24 hours – and we're informing the user that his IP is blocked because he exceeded the maximum allowed wrong authentication attempts:

@Component
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Autowired
    private MessageSource messages;

    @Override
    public void onAuthenticationFailure(...) {
        ...

        String errorMessage = messages.getMessage("message.badCredentials", null, locale);
        if (exception.getMessage().equalsIgnoreCase("blocked")) {
            errorMessage = messages.getMessage("auth.message.blocked", null, locale);
        }

        ...
    }
}

6. Conclusion

It's important to understand that this is a good first step in dealing with brute-force password attempts, but also that there's room for improvement. A production-grade brute-force prevention strategy may involve more elements than an IP block.

The full implementation of this tutorial can be found in the github project.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!