Introduction
In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications, a mentioned is made regarding identification and authentication failures (A07:2021 – Identification and Authentication Failures). Previously known as “Broken authentication” it refers to the dangers a web application has from week authentication implementations. Bellow I am going to demonstrate the implementation of one of the counter measures which is to be able to log authentication attempts whether these are successful or not.
Implementation
In order to avoid boilerplate code I am using lombok to create the Slf4J logger.
Log Success
The steps are the following
- We create a service that “listens” for the success logins
- Extract the username
- Extract the IP address
- Log it
For the first step we need to create a component, lets call it AuthenticationFailureListener that will implement the interface ApplicationListener<AuthenticationFailureBadCredentialsEvent>
There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.
If we add all that the code should be something similar to the snippet bellow
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest;
@Slf4j
@Component
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {
@Autowired
private HttpServletRequest request;
@Override
public void onApplicationEvent(AuthenticationSuccessEvent event) {
//get the X-Forwarded-For header so that we know if the request is from a proxy
final String xfHeader = request.getHeader("X-Forwarded-For");
if (xfHeader == null){
//no proxy
log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
} else {
//from proxy
log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
}
}
}You should get a response similar to
2022-08-17 01:50:42.325 ERROR 81901 --- [io-8080-exec-10] .d.u.m.m.s.AuthenticationSuccessListener : Successful login attempt for alexius from 0:0:0:0:0:0:0:1
Log Failure
- We create a service that “listens” for the failed logins
- Extract the username
- Extract the IP address
- Log it
For the first step we need to create a component, lets call it AuthenticationSuccessListener that will implement the interface ApplicationListener<AuthenticationSuccessEvent>
There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest;
@Slf4j
@Component
public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {
@Autowired
private HttpServletRequest request;
@Override
public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
final String xfHeader = request.getHeader("X-Forwarded-For");
if (xfHeader == null){
log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
} else {
log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
}
}
}If we add all that the code should be something similar to the snippet bellow
2022-08-17 02:22:51.377 ERROR 82022 --- [nio-8080-exec-4] .d.u.m.m.s.AuthenticationFailureListener : Failed login attempt for alexius from 0:0:0:0:0:0:0:1
Published on Java Code Geeks with permission by Alexius Diakogiannis, partner at our JCG program. See the original article here: Logging Failed and Successful Authentication Attempts with SpringBoot Opinions expressed by Java Code Geeks contributors are their own. |
