-
Jun 8th, 2010, 05:20 AM
#1
Locking user after 3 unsucess ful evnets
HI all,
I am new to spring security and developing some basic samples. I want to lock the user acccount after 3 failed loging attempts.
i have a table in DB named users with enabled field.
I have written application event listener as well.\
But my problem is how do i lock this user.
I m getting javax.servlet.ServletException: Filter execution threw an exception
need your help.
I m pasting my code.
public class EventListener extends JdbcDaoImpl implements ApplicationListener,InitializingBean {
// public static final int maxCount = 3;
// static int failedLoginAttempts = 0;
int status ;
String count;
TestUserDetailsService userDetailsService;
// public abstract boolean canHandle(Object event);
// public abstract void handle(Object event);
@Override
public void onApplicationEvent(ApplicationEvent event) {
if ( event instanceof AuthorizedEvent )
{
AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
System.out.println ( "authorized:" + authorizedEvent );
}
else if ( event instanceof AuthorizationFailureEvent )
{
AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
System.out.println ( "not authorized:" + authorizationFailureEvent );
}
else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
{
AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
System.out.println ( "badCredentials:" + badCredentialsEvent );
Object name = badCredentialsEvent.getAuthentication().getPrincip al();
System.out.println("name" + name);
int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
userDetailsService.setFailedLoginAttempts(++failed LoginAttempts);
System.out.println("failedattemps" + userDetailsService.getFailedLoginAttempts());
if(userDetailsService.getFailedLoginAttempts() >= 3){
System.out.println("update users set enabled = 'NO' where userName='" +name+ "'");
this.getJdbcTemplate().update("update users set enabled = 'NO' where userName='" +name+ "'");
}
count =(String)this.getJdbcTemplate().queryForObject("se lect enabled from users where userName='" +name+ "'", String.class);
if(count=="NO"){
throw new LockedException("user has been lockded");
}
}
else if ( event instanceof AuthenticationSuccessEvent )
{
AuthenticationSuccessEvent authenticationSuccessEvent = ( AuthenticationSuccessEvent ) event;
System.out.println ( "authSuccess:" + authenticationSuccessEvent );
}
else
{
System.out.println ( "undefined: " + event.getClass ().getName () );
}
}
I am not able to configure locked exception
-
Jun 8th, 2010, 06:18 AM
#2
use [ code][/code ] tags when posting code 
You use a Filter, that isn't a spring bean, hence your JdbcTemplate will resolve/result in an exception.
-
Jun 8th, 2010, 06:25 AM
#3
[ code]
public void onApplicationEvent(ApplicationEvent event) {
if ( event instanceof AuthorizedEvent )
{
AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
System.out.println ( "authorized:" + authorizedEvent );
}
else if ( event instanceof AuthorizationFailureEvent )
{
AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
System.out.println ( "not authorized:" + authorizationFailureEvent );
}
else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
{
AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
System.out.println ( "badCredentials:" + badCredentialsEvent );
Object name = badCredentialsEvent.getAuthentication().getPrincip al();
System.out.println("name" + name);
int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
userDetailsService.setFailedLoginAttempts(++failed LoginAttempts);
System.out.println("failedattemps" + userDetailsService.getFailedLoginAttempts());
if(userDetailsService.getFailedLoginAttempts() >= 3){
System.out.println("update users set enabled = 'NO' where userName='" +name+ "'");
this.getJdbcTemplate().update("update users set enabled = 'NO' where userName='" +name+ "'");
throw new LockedException("user account has been locked");
}
count =(String)this.getJdbcTemplate().queryForObject("se lect enabled from users where userName='" +name+ "'", String.class);
if(count=="NO"){
throw new LockedException("user has been lockded");
}
}
[/code ]
HOw do I lock the user, in Db its updating properly enabled field
-
Jun 8th, 2010, 08:19 AM
#4
I see a number of issues with the code that are unrelated to Spring Security.
1> Is 'count=="NO"' how you are determining whether you throw a locked exception? If so, I don't see how this would ever work.
2> I would strongly recommend that you use PreparedStatements instead of simple string concatenation, otherwise you will be absolutely vulnerable to SQL injection attacks.
3> "==" is not a good way to compare strings.
4> I don't have the Javadoc / source at hand at the moment, but is setFailedLoginAttempts a custom method that you have written which updates the database? If not, I don't think this code will ever work unless you are somehow tracking this count in the database via your user service.
Hope this helps - it looks like you may benefit from doing some more reading about how to use Spring JDBC as well.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
