How can I limit login attempts in Spring Security?

Question

Is there some configuration or available module in Spring Security to limit login attempts (ideally, I\'d like to have an increasing wait time between subsequent failed atte

Answer 1

1. create a table to store the values of failed attempts ex : user_attempts

2. Write custom event listener

    @Component("authenticationEventListner")
    public class AuthenticationEventListener
    implements AuthenticationEventPublisher
    {
    @Autowired
    UserAttemptsServices userAttemptsService;
   
    @Autowired
    UserService userService;
   
    private static final int MAX_ATTEMPTS = 3;
    static final Logger logger = LoggerFactory.getLogger(AuthenticationEventListener.class);   
   
    @Override
    public void publishAuthenticationSuccess(Authentication authentication) {          
    logger.info("User has been logged in Successfully :" +authentication.getName());       
    userAttemptsService.resetFailAttempts(authentication.getName());       
    }
   
   
    @Override
    public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {               
    logger.info("User Login failed :" +authentication.getName());      
    String username = authentication.getName().toString();
    UserAttempts userAttempt =  userAttemptsService.getUserAttempts(username);
    User userExists = userService.findBySSO(username);
   
    int attempts = 0;
    String error = "";
    String lastAttempted = "";             
    if (userAttempt == null) {     
   
       if(userExists !=null ){                     
       userAttemptsService.insertFailAttempts(username);   }       
     } else {                
         attempts = userAttempt.getAttempts();
         lastAttempted = userAttempt.getLastModified();
       userAttemptsService.updateFailAttempts(username, attempts);         
       if (attempts + 1 >= MAX_ATTEMPTS) {                 
           error = "User account is locked! 
   Username : "
                          + username+ "
   Last Attempted on : " + lastAttempted;          
       throw new LockedException(error);           
       }                                   
     }
   throw new BadCredentialsException("Invalid User Name and Password");
   
   
   
    }
     }
   

3.Security Configuration

         1) @Autowired
         @Qualifier("authenticationEventListner")
         AuthenticationEventListener authenticationEventListner;

      2) @Bean
         public AuthenticationEventPublisher authenticationListener() {
         return new AuthenticationEventListener();
         }
      3) @Autowired
         public void 
         configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
         auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
         //configuring custom user details service
         auth.authenticationProvider(authenticationProvider);
         // configuring login success and failure event listener
         auth.authenticationEventPublisher(authenticationEventListner);
         }