Spring Security可以為您做很多事情。

帳戶被封鎖，密碼鹽。 但是蠻力阻斷劑呢？

那是你必須自己做的。

幸運的是，Spring是一個非常靈活的框架，因此對其進行配置并不是什么大問題。

讓我向您展示一些如何針對Grails應用程序執行此操作的指南。

首先，您必須在config.groovy中啟用springSecurityEventListener

grails.plugins.springsecurity.useSecurityEventListener = true

然后實現監聽器
在/ src / bruteforce中創建類

/**
Registers all failed attempts to login. Main purpose to count attempts for particular account ant block user*/
class AuthenticationFailureListener implements ApplicationListener {LoginAttemptCacheService loginAttemptCacheService@Overridevoid onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) {loginAttemptCacheService.failLogin(e.authentication.name)}
}

接下來，我們必須創建用于成功登錄的偵聽器
在同一包裝中

/**Listener for successfull logins. Used for reseting number on unsuccessfull logins for specific account
*/
class AuthenticationSuccessEventListener implements ApplicationListener{LoginAttemptCacheService loginAttemptCacheService@Overridevoid onApplicationEvent(AuthenticationSuccessEvent e) {loginAttemptCacheService.loginSuccess(e.authentication.name)}
}

我們沒有將它們放在grails-app文件夾中，因此我們需要將這些類作為spring bean重新命名。
在grails-app / conf / spring / resources.groovy中添加下一行

beans = {authenticationFailureListener(AuthenticationFailureListener) {loginAttemptCacheService = ref('loginAttemptCacheService')}authenticationSuccessEventListener(AuthenticationSuccessEventListener) {loginAttemptCacheService = ref('loginAttemptCacheService')}
}

您可能會注意到LoginAttemptCacheService loginAttemptCacheService的用法
讓我們實現它。 這將是典型的grails服務

package com.picsel.officeanywhereimport com.google.common.cache.CacheBuilder
import com.google.common.cache.CacheLoader
import com.google.common.cache.LoadingCacheimport java.util.concurrent.TimeUnit
import org.apache.commons.lang.math.NumberUtils
import javax.annotation.PostConstructclass LoginAttemptCacheService {private LoadingCacheattempts;private int allowedNumberOfAttemptsdef grailsApplication@PostConstructvoid init() {allowedNumberOfAttempts = grailsApplication.config.brutforce.loginAttempts.allowedNumberOfAttemptsint time = grailsApplication.config.brutforce.loginAttempts.timelog.info 'account block configured for $time minutes'attempts = CacheBuilder.newBuilder().expireAfterWrite(time, TimeUnit.MINUTES).build({0} as CacheLoader);}/*** Triggers on each unsuccessful login attempt and increases number of attempts in local accumulator* @param login - username which is trying to login* @return*/def failLogin(String login) {def numberOfAttempts = attempts.get(login)log.debug 'fail login $login previous number for attempts $numberOfAttempts'numberOfAttempts++if (numberOfAttempts > allowedNumberOfAttempts) {blockUser(login)attempts.invalidate(login)} else {attempts.put(login, numberOfAttempts)}}/*** Triggers on each successful login attempt and resets number of attempts in local accumulator* @param login - username which is login*/def loginSuccess(String login) {log.debug 'successfull login for $login'attempts.invalidate(login)}/*** Disable user account so it would not able to login* @param login - username that has to be disabled*/private void blockUser(String login) {log.debug 'blocking user: $login'def user = User.findByUsername(login)if (user) {user.accountLocked = true;user.save(flush: true)}}
}

我們將使用Google番石榴庫中的CacheBuilder。 因此，將下一行添加到BuildConfig.groovy

dependencies {runtime 'com.google.guava:guava:11.0.1'}

最后一步，將服務配置添加到cinfig.groovy

brutforce {loginAttempts {time = 5allowedNumberOfAttempts = 3}

就是這樣，您準備運行您的應用程序。
對于典型的Java項目，幾乎一切都是一樣的。 相同的偵聽器和相同的服務。
有關Spring Security Events的更多信息 有關使用Google番石榴進行緩存的更多信息

Grails用戶可以簡單地使用此插件https://github.com/grygoriy/bruteforcedefender

祝您編程愉快，別忘了分享！

參考： Grygoriy Mykhalyuno博客博客中的JCG合作伙伴 Grygoriy Mykhalyuno 使用Spring Security防止暴力攻擊 。

翻譯自: https://www.javacodegeeks.com/2012/10/spring-security-prevent-brute-force.html