Added Anti-Brute-force attack.

Author: sean-huni

build.gradle

@@ -68,6 +68,9 @@ dependencies {
     compile('org.springframework.boot:spring-boot-starter-web')
     compile('de.codecentric:spring-boot-admin-starter-client')
     compile('de.codecentric:spring-boot-admin-starter-server')
+    // https://mvnrepository.com/artifact/com.google.guava/guava
+    compile('com.google.guava:guava:25.1-jre')
+
     compile('org.webjars:bootstrap:4.1.0')
     compile('org.webjars:font-awesome:5.0.13')
     // https://mvnrepository.com/artifact/org.webjars/jquery
@@ -76,7 +79,9 @@ dependencies {
     runtime('com.h2database:h2')
 //    runtime('mysql:mysql-connector-java')
     compileOnly('org.springframework.boot:spring-boot-configuration-processor')
-    compileOnly('org.projectlombok:lombok:1.18.0')
+    // https://mvnrepository.com/artifact/org.projectlombok/lombok
+    compile('org.projectlombok:lombok')
+
     testCompile('org.springframework.boot:spring-boot-starter-test')
     testCompile('org.springframework.restdocs:spring-restdocs-mockmvc')
     testCompile('org.springframework.security:spring-security-test')

pi.iml

@@ -4,6 +4,15 @@
     <facet type="Spring" name="Spring">
       <configuration />
     </facet>
+    <facet type="web" name="Web">
+      <configuration>
+        <webroots />
+        <sourceRoots>
+          <root url="file://$MODULE_DIR$/src/main/resources" />
+          <root url="file://$MODULE_DIR$/src/main/java" />
+        </sourceRoots>
+      </configuration>
+    </facet>
   </component>
   <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8" inherit-compiler-output="true">
     <exclude-output />

src/main/java/io/home/pi/component/AuthenticationFailureListener.java

@@ -16,15 +16,13 @@
  * CELL    : +27-78-683-1982
  */
 @Component
-public class AuthenticationFailureListener
-        implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {
+public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {
 
     @Autowired
     private LoginAttemptService loginAttemptService;
 
     public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) {
-        WebAuthenticationDetails auth = (WebAuthenticationDetails)
-                e.getAuthentication().getDetails();
+        WebAuthenticationDetails auth = (WebAuthenticationDetails) e.getAuthentication().getDetails();
 
         loginAttemptService.loginFailed(auth.getRemoteAddress());
     }

src/main/java/io/home/pi/component/AuthenticationSuccessEventListener.java

@@ -16,15 +16,13 @@
  * CELL    : +27-78-683-1982
  */
 @Component
-public class AuthenticationSuccessEventListener
-        implements ApplicationListener<AuthenticationSuccessEvent> {
+public class AuthenticationSuccessEventListener implements ApplicationListener<AuthenticationSuccessEvent> {
 
     @Autowired
     private LoginAttemptService loginAttemptService;
 
     public void onApplicationEvent(AuthenticationSuccessEvent e) {
-        WebAuthenticationDetails auth = (WebAuthenticationDetails)
-                e.getAuthentication().getDetails();
+        WebAuthenticationDetails auth = (WebAuthenticationDetails) e.getAuthentication().getDetails();
 
         loginAttemptService.loginSucceeded(auth.getRemoteAddress());
     }

src/main/java/io/home/pi/component/CustomAuthenticationFailureHandler.java

@@ -0,0 +1,73 @@
+package io.home.pi.component;
+
+import io.home.pi.constant.SpringConstants;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.MessageSource;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.WebAttributes;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.LocaleResolver;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Locale;
+
+/**
+ * PROJECT   : pi
+ * PACKAGE   : io.home.pi.component
+ * USER      : sean
+ * DATE      : 29-June-2018
+ * TIME      : 20:09
+ */
+@Component("authenticationFailureHandler")
+public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
+    private MessageSource messageSource;
+
+    @Autowired
+    private LocaleResolver localeResolver;
+
+    @Autowired
+    public CustomAuthenticationFailureHandler(MessageSource messageSource) {
+        this.messageSource = messageSource;
+    }
+
+
+    @Autowired
+    public void setMessageSource(MessageSource messageSource) {
+        this.messageSource = messageSource;
+    }
+
+    /**
+     * Performs the redirect or forward to the {@code defaultFailureUrl} if set, otherwise
+     * returns a 401 error code.
+     * <p>
+     * If redirecting or forwarding, {@code saveException} will be called to cache the
+     * exception for use in the target view.
+     *
+     * @param request
+     * @param response
+     * @param exception
+     */
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
+        setDefaultFailureUrl(SpringConstants.URL_LOGIN_ERROR_TRUE);
+        super.onAuthenticationFailure(request, response, exception);
+
+        final Locale locale = localeResolver.resolveLocale(request);
+
+        String errorMessage = messageSource.getMessage("message.badCredentials", null, locale);
+
+        if (exception.getMessage().equalsIgnoreCase("User is disabled")) {
+            errorMessage = messageSource.getMessage("auth.message.disabled", null, locale);
+        } else if (exception.getMessage().equalsIgnoreCase("User account has expired")) {
+            errorMessage = messageSource.getMessage("auth.message.expired", null, locale);
+        } else if (exception.getMessage().equalsIgnoreCase("blocked")) {
+            errorMessage = messageSource.getMessage("auth.message.blocked", null, locale);
+        }
+
+        request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, errorMessage);
+    }
+}

src/main/java/io/home/pi/config/WebConfig.java

@@ -1,14 +1,19 @@
 package io.home.pi.config;
 
+import org.springframework.context.MessageSource;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.web.context.request.RequestContextListener;
+import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring5.SpringTemplateEngine;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
+
+import java.util.Locale;
 
 import static io.home.pi.constant.SpringConstants.EXTERNAL_URL_RESOURCES;
 import static io.home.pi.constant.SpringConstants.INTERNAL_URL_RESOURCES;
@@ -25,6 +30,28 @@
 @ComponentScan
 @PropertySource(value = {"classpath:application.properties"})
 public class WebConfig implements WebMvcConfigurer {
+
+    @Bean
+    public RequestContextListener requestContextListener() {
+        return new RequestContextListener();
+    }
+
+    @Bean
+    public LocaleResolver localeResolver() {
+        SessionLocaleResolver localeResolver = new SessionLocaleResolver();
+        localeResolver.setDefaultLocale(Locale.getDefault());
+        return localeResolver;
+    }
+
+    @Bean
+    public MessageSource messageSource() {
+        ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
+        messageSource.setBasename("classpath:messages/messages");
+        messageSource.setCacheSeconds(60); //reload messages every 10 seconds
+        return messageSource;
+    }
+
+
     /**
      * Adds resource handlers.
      *
@@ -35,4 +62,5 @@ public void addResourceHandlers(ResourceHandlerRegistry registry) {
         registry.addResourceHandler(EXTERNAL_URL_RESOURCES)
                 .addResourceLocations(INTERNAL_URL_RESOURCES);
     }
+
 }

src/main/java/io/home/pi/config/WebSecurityConfig.java

@@ -1,5 +1,6 @@
 package io.home.pi.config;
 
+import io.home.pi.component.CustomAuthenticationFailureHandler;
 import io.home.pi.service.impl.UserDetailServiceImpl;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -10,7 +11,6 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
-import org.springframework.transaction.annotation.EnableTransactionManagement;
 
 import static io.home.pi.constant.SpringConstants.*;
 
@@ -23,10 +23,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     private UserDetailServiceImpl userDetailsService;
 
+    private CustomAuthenticationFailureHandler authenticationFailureHandler;
+
     @Autowired
-    public WebSecurityConfig(PersistentTokenRepository persistenceTokenRepository, UserDetailServiceImpl userDetailsService) {
+    public WebSecurityConfig(PersistentTokenRepository persistenceTokenRepository, UserDetailServiceImpl userDetailsService, CustomAuthenticationFailureHandler authenticationFailureHandler) {
         this.persistenceTokenRepository = persistenceTokenRepository;
         this.userDetailsService = userDetailsService;
+        this.authenticationFailureHandler = authenticationFailureHandler;
     }
 
 //    @Bean
@@ -54,6 +57,8 @@ protected void configure(HttpSecurity httpSecurity) throws Exception {
                 .formLogin()
                 .loginPage(URL_LOGIN_PAGE)
                 .defaultSuccessUrl(URL_DEFAULT_AUTH_USER_PAGE, true)
+//                .successHandler(myAuthenticationSuccessHandler)
+                .failureHandler(authenticationFailureHandler)
                 .permitAll()
                 .and()
                 .sessionManagement()

src/main/java/io/home/pi/constant/SpringConstants.java

@@ -43,4 +43,5 @@ public class SpringConstants {
     public static final String[] INTERNAL_URL_RESOURCES = {
             URL_INTERNAL_RESOURCES_PUB, URL_INTERNAL_RESOURCES_STATIC, URL_INTERNAL_RESOURCES_WEBJAR,};
 
+    public static final String URL_LOGIN_ERROR_TRUE = "/user/login?error=true";
 }

src/main/java/io/home/pi/controller/UserProfileCtrl.java

@@ -3,7 +3,6 @@
 import io.home.pi.constant.SpringConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;

src/main/java/io/home/pi/service/impl/LoginAttemptService.java

@@ -1,6 +1,8 @@
 package io.home.pi.service.impl;
 
-import org.springframework.cglib.core.internal.LoadingCache;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
 import org.springframework.stereotype.Service;
 
 import java.util.concurrent.ExecutionException;
@@ -17,7 +19,7 @@
 @Service
 public class LoginAttemptService {
 
-    private final int MAX_ATTEMPT = 10;
+    private final int MAX_ATTEMPT = 3;
     private LoadingCache<String, Integer> attemptsCache;
 
     public LoginAttemptService() {

src/main/java/io/home/pi/service/impl/UserDetailServiceImpl.java

@@ -13,6 +13,7 @@
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -30,15 +31,17 @@
 @Service
 public class UserDetailServiceImpl implements UserDetailsService {
     private static final Logger LOGGER = LoggerFactory.getLogger(UserDetailServiceImpl.class);
-
     private final UserService userService;
+    private HttpServletRequest request;
+    private LoginAttemptService loginAttemptService;
 
     @Autowired
-    public UserDetailServiceImpl(UserService userService) {
+    public UserDetailServiceImpl(HttpServletRequest request, LoginAttemptService loginAttemptService, UserService userService) {
+        this.request = request;
+        this.loginAttemptService = loginAttemptService;
         this.userService = userService;
     }
 
-
     /**
      * Locates the user based on the username. In the actual implementation, the search
      * may possibly be case sensitive, or case insensitive depending on how the
@@ -52,8 +55,14 @@ public UserDetailServiceImpl(UserService userService) {
      *                                   GrantedAuthority
      */
     @Override
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, SecurityException {
+        String ip = getClientIP(request);
+        if (loginAttemptService.isBlocked(ip)) {
+            throw new SecurityException("blocked");
+        }
+
         Optional<User> userOptional = Optional.ofNullable(userService.findByUsername(username));
+
         if (!userOptional.isPresent()) {
             throw new UsernameNotFoundException("Username & Password doesn't exist!");
         }
@@ -68,10 +77,11 @@ private List<GrantedAuthority> getGrantedAuthorities(User user) {
 
             groupAuthorities.add(user.getTeam().getGrpAuth());
 
-
             for (GrpAuth userAuth : groupAuthorities) {
                 LOGGER.info("User Auth: " + userAuth.toString());
-                authorities.add(new SimpleGrantedAuthority(USER_ROLE_PREFIX + userAuth.getAuthorities().iterator().next().getLevel()));
+                while (userAuth.getAuthorities().iterator().hasNext()) {
+                    authorities.add(new SimpleGrantedAuthority(USER_ROLE_PREFIX + userAuth.getAuthorities().iterator().next().getLevel()));
+                }
             }
         } catch (Exception e) {
             LOGGER.error(e.getMessage(), e);
@@ -86,4 +96,19 @@ private List<GrantedAuthority> getGrantedAuthorities(User user) {
     }
 
 
+    private String getClientIP(HttpServletRequest request) {
+        String clientIP;
+        String xfHeader = request.getHeader("X-Fowarded-For");
+        if (xfHeader == null) {
+            String remoteIP = request.getRemoteAddr();
+            LOGGER.info("Remote-IP: {}", remoteIP);
+            return remoteIP;
+        }
+
+        clientIP = xfHeader.split(",")[0];
+        LOGGER.info("Client-IP: {}", clientIP);
+        return clientIP;
+    }
+
+
 }

src/main/java/io/home/pi/util/PiUtil.java

@@ -0,0 +1,17 @@
+package io.home.pi.util;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * PROJECT   : pi
+ * PACKAGE   : io.home.pi.util
+ * USER      : sean
+ * DATE      : 29-June-2018
+ * TIME      : 19:46
+ */
+public class PiUtil {
+    private static final Logger LOGGER = LoggerFactory.getLogger(PiUtil.class);
+
+
+}

src/main/resources/data.sql

@@ -18,6 +18,5 @@ insert into rpi.team (grp_id, grp_auth_id) values (1, 1);
 insert into rpi.user (username, password, enabled, team_id)
 values ('demo@email.com', '$2a$10$.R9eHFOfpQDa.BEmkUUdVegl/5XUQ8ELXaKFz/7QJmqunjbVyg/0y', true, 1);
 
-
-insert into RPI.TOKEN_LOG (id,series, timestamp, token, username)
-values(1, 'KDRbKsElGjpY0abA1vwZUQ==', CURRENT_TIMESTAMP(), '83AjDxYvEBxDgLMJLNzkaA==', 'demo@email.com');
+-- insert into RPI.TOKEN_LOG (id,series, timestamp, token, username)
+-- values(1, 'KDRbKsElGjpY0abA1vwZUQ==', CURRENT_TIMESTAMP(), '83AjDxYvEBxDgLMJLNzkaA==', 'demo@email.com');