用 spring-boot 實作預防暴力登入嘗試的機制

@Service public class LoginAttemptService {      @Autowired     private HttpServletRequest request;     private final int MAX_ATTEMPT = 2;     private final int bolckTimeMins = 1;     private LoadingCache<String, Integer> attemptsCache;      public LoginAttemptService() {         attemptsCache = CacheBuilder.newBuilder().                 expireAfterWrite(bolckTimeMins, TimeUnit.MINUTES).build(new CacheLoader<String, Integer>() {             public Integer load(String key) {                 return 0;             }         });     }      public void loginSucceeded(String key) {         attemptsCache.invalidate(key);     }      public void loginFailed(String key) {         int attempts = 0;         try {             attempts = attemptsCache.get(key);         } catch (ExecutionException e) {             attempts = 0;         }         attempts++;         attemptsCache.put(key, attempts);     }      public boolean isBlocked(String key) {         try {             return attemptsCache.get(key) >= MAX_ATTEMPT;         } catch (ExecutionException e) {             return false;         }     } }

@Component public class AuthenticationSuccessEventListener         implements ApplicationListener<AuthenticationSuccessEvent> {      @Autowired     private LoginAttemptService loginAttemptService;      public void onApplicationEvent(AuthenticationSuccessEvent e) {         WebAuthenticationDetails auth = (WebAuthenticationDetails)                 e.getAuthentication().getDetails();          loginAttemptService.loginSucceeded(auth.getRemoteAddress());     } }

@Component public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {      @Override     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,                                         AuthenticationException exception) throws IOException {         response.sendError(403, exception.getMessage());     } }

@Service("MyUserDetailsImpl") public class MyUserDetailsService implements UserDetailsService {     @Autowired     private UserRepository repo;      public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {         User user;         try {             user = repo.getByUsername(userName);         } catch (Exception e) {             throw new UsernameNotFoundException("user select fail");         }         if(user == null){             throw new UsernameNotFoundException("no user found");         } else {             try {                 List<GrantedAuthority> gas = new ArrayList<GrantedAuthority>();                 gas.add(new SimpleGrantedAuthority("ROLE_USER"));                 return new org.springframework.security.core.userdetails.User(                         user.getUsername(), user.getPassword(), true, true, true, true, gas);             } catch (Exception e) {                 throw new UsernameNotFoundException("user role select fail");             }         }     } }

@Component public class MyAuthenticationProvider implements AuthenticationProvider {     @Autowired     private MyUserDetailsService myUserDetailsService;     @Autowired     private LoginAttemptService loginAttemptService;     public Authentication authenticate(Authentication authentication) throws AuthenticationException {         WebAuthenticationDetails wad = (WebAuthenticationDetails) authentication.getDetails();         String userIPAddress = wad.getRemoteAddress();         String username = authentication.getName();         String password = (String) authentication.getCredentials();         if(loginAttemptService.isBlocked(userIPAddress)) {             throw new LockedException("This ip has been blocked");         }         UserDetails user = myUserDetailsService.loadUserByUsername(username);         if(user == null){             throw new BadCredentialsException("Username not found.");         }         if (!Password.encoder.matches(password, user.getPassword())) {             throw new BadCredentialsException("Wrong password.");         }          Collection<? extends GrantedAuthority> authorities = user.getAuthorities();         return new UsernamePasswordAuthenticationToken(user, password, authorities);     }      public boolean supports(Class<?> authentication) {         return true;     } }

@Component public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {      @Override     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,                                         AuthenticationException exception) throws IOException {         response.sendError(403, exception.getMessage());     } }

@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {     @Autowired     DataSource dataSource;     @Autowired     private UserRepository _userRepo;     @Autowired     private MyUserDetailsService myUserDetailsService;     @Autowired     private MyAuthenticationProvider myAuthenticationProvider;     @Autowired     private MyAuthenticationFailureHandler myAuthenticationFailureHandler;      @Override     protected void configure(HttpSecurity http) throws Exception {         http                 .authorizeRequests()                 .antMatchers("/", "/home", "/signin", "/index").permitAll()                 .anyRequest().authenticated()                 .and()                 .formLogin()                 .loginPage("/login")                 .permitAll()                 .failureHandler(myAuthenticationFailureHandler)                 .and()                 .logout()                 .permitAll()                 .and()                 .csrf().disable();     }      @Override     public UserDetailsService userDetailsServiceBean() throws Exception {         return myUserDetailsService;     }      @Override     protected void configure(AuthenticationManagerBuilder auth) throws Exception {         auth.userDetailsService(myUserDetailsService);         auth.authenticationProvider(myAuthenticationProvider);     } }