Announcement Announcement Module
Collapse
No announcement yet.
Locking user after 3 unsucess ful evnets Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Locking user after 3 unsucess ful evnets

    HI all,
    I am new to spring security and developing some basic samples. I want to lock the user acccount after 3 failed loging attempts.
    i have a table in DB named users with enabled field.

    I have written application event listener as well.\
    But my problem is how do i lock this user.
    I m getting javax.servlet.ServletException: Filter execution threw an exception

    need your help.
    I m pasting my code.


    public class EventListener extends JdbcDaoImpl implements ApplicationListener,InitializingBean {
    // public static final int maxCount = 3;
    // static int failedLoginAttempts = 0;
    int status ;
    String count;
    TestUserDetailsService userDetailsService;
    // public abstract boolean canHandle(Object event);
    // public abstract void handle(Object event);
    @Override
    public void onApplicationEvent(ApplicationEvent event) {


    if ( event instanceof AuthorizedEvent )
    {
    AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
    System.out.println ( "authorized:" + authorizedEvent );
    }
    else if ( event instanceof AuthorizationFailureEvent )
    {
    AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
    System.out.println ( "not authorized:" + authorizationFailureEvent );
    }
    else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
    {
    AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
    System.out.println ( "badCredentials:" + badCredentialsEvent );
    Object name = badCredentialsEvent.getAuthentication().getPrincip al();
    System.out.println("name" + name);

    int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
    userDetailsService.setFailedLoginAttempts(++failed LoginAttempts);
    System.out.println("failedattemps" + userDetailsService.getFailedLoginAttempts());
    if(userDetailsService.getFailedLoginAttempts() >= 3){
    System.out.println("update users set enabled = 'NO' where userName='" +name+ "'");
    this.getJdbcTemplate().update("update users set enabled = 'NO' where userName='" +name+ "'");
    }
    count =(String)this.getJdbcTemplate().queryForObject("se lect enabled from users where userName='" +name+ "'", String.class);
    if(count=="NO"){
    throw new LockedException("user has been lockded");
    }
    }
    else if ( event instanceof AuthenticationSuccessEvent )
    {
    AuthenticationSuccessEvent authenticationSuccessEvent = ( AuthenticationSuccessEvent ) event;
    System.out.println ( "authSuccess:" + authenticationSuccessEvent );
    }
    else
    {
    System.out.println ( "undefined: " + event.getClass ().getName () );
    }
    }


    I am not able to configure locked exception

  • #2
    use [ code][/code ] tags when posting code

    You use a Filter, that isn't a spring bean, hence your JdbcTemplate will resolve/result in an exception.

    Comment


    • #3
      [ code]

      public void onApplicationEvent(ApplicationEvent event) {


      if ( event instanceof AuthorizedEvent )
      {
      AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
      System.out.println ( "authorized:" + authorizedEvent );
      }
      else if ( event instanceof AuthorizationFailureEvent )
      {
      AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
      System.out.println ( "not authorized:" + authorizationFailureEvent );
      }
      else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
      {
      AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
      System.out.println ( "badCredentials:" + badCredentialsEvent );
      Object name = badCredentialsEvent.getAuthentication().getPrincip al();
      System.out.println("name" + name);

      int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
      userDetailsService.setFailedLoginAttempts(++failed LoginAttempts);
      System.out.println("failedattemps" + userDetailsService.getFailedLoginAttempts());
      if(userDetailsService.getFailedLoginAttempts() >= 3){
      System.out.println("update users set enabled = 'NO' where userName='" +name+ "'");
      this.getJdbcTemplate().update("update users set enabled = 'NO' where userName='" +name+ "'");
      throw new LockedException("user account has been locked");

      }
      count =(String)this.getJdbcTemplate().queryForObject("se lect enabled from users where userName='" +name+ "'", String.class);
      if(count=="NO"){

      throw new LockedException("user has been lockded");
      }
      }
      [/code ]



      HOw do I lock the user, in Db its updating properly enabled field

      Comment


      • #4
        I see a number of issues with the code that are unrelated to Spring Security.

        1> Is 'count=="NO"' how you are determining whether you throw a locked exception? If so, I don't see how this would ever work.
        2> I would strongly recommend that you use PreparedStatements instead of simple string concatenation, otherwise you will be absolutely vulnerable to SQL injection attacks.
        3> "==" is not a good way to compare strings.
        4> I don't have the Javadoc / source at hand at the moment, but is setFailedLoginAttempts a custom method that you have written which updates the database? If not, I don't think this code will ever work unless you are somehow tracking this count in the database via your user service.

        Hope this helps - it looks like you may benefit from doing some more reading about how to use Spring JDBC as well.

        Comment

        Working...
        X