ujjala wrote:
Would it be possible to provide sample snippet as to how to go about it.
The following is not the complete class (for example in my app I detect
other login edge cases), but includes the portion that detects the
condition you're looking for, and what turned out to be the hard parts:
getting ahold of the userManager and constructing the i18n-ized
version of the error messages. Of course, you'll want to disable the
user after 3 failed attempts (which my code doesn't do), but you should
know that this makes for a simple DOS attack against your app's users...
...once you have to deal with disabled accounts you'll want to pay
attention to AuthenticationFailureDisabledEvent to detect when to tell
users what to do/who to talk to in order to re-enable their account.
public class LoginListener implements ApplicationListener,
ApplicationContextAware {
private UserManager getUserManager() {
if (applicationContext != null) {
return (UserManager) applicationContext.getBean("userManager");
}
return null;
}
public void onApplicationEvent(ApplicationEvent event) {
UserManager userManager = getUserManager();
if (event instanceof AuthenticationFailureBadCredentialsEvent) {
// Failed login attempt.
AuthenticationFailureBadCredentialsEvent badCredentialsEvent =
(AuthenticationFailureBadCredentialsEvent) event;
// You can look inside the
AuthenticationFailureBadCredentialsEvent by doing a getException(), and
then seeing which exception it is (either
// BadCredentialsException or UsernameNotFoundException).
if (badCredentialsEvent.getException() instanceof
BadCredentialsException) {
log.warn("badPassword:" + badCredentialsEvent);
Object principal =
badCredentialsEvent.getAuthentication().getPrincipal();
User attemptedUser;
if (userManager == null) {
log.warn("unable to continue without userManager...");
return;
}
if (principal instanceof User) {
// Force reload in current session
attemptedUser =
userManager.getUserByUsernamePrivacyOverride(((User)
principal).getUsername());
} else if (principal instanceof String) {
attemptedUser =
userManager.getUserByUsernamePrivacyOverride((String) principal);
} else {
log.warn("user not authenticated, but unable to increment
login tally:" + badCredentialsEvent);
return;
}
Integer loginFailures = attemptedUser.getLoginFailureCount();
if (loginFailures == null) {
loginFailures = Integer.valueOf(1);
} else {
loginFailures = Integer.valueOf(loginFailures.intValue() + 1);
}
attemptedUser.setLoginFailureCount(loginFailures);
try {
userManager.justSaveUser(attemptedUser);
} catch (UserExistsException e) {
log.warn("Unable to increment login failure counter?" + e);
} catch (NullPointerException e) {
log.warn("unable to save incremented login failure count
without userManager...");
}
saveMessage(DefaultTextProvider.INSTANCE.getText("user.loginFailureCount",
new String[] { loginFailures.toString() }));
saveMessage(DefaultTextProvider.INSTANCE.getText("user.forgotPasswordLink",
new String[] { attemptedUser.getDisplayUsername() }));
} else {
log.warn("badUsername:" + badCredentialsEvent);
}
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
