Back Forum Reply New
amy

1#
Print
tT
Post at 2011-4-15 15:09 | This Author's Posts Only

Locking user after 3 unsucess ful evnets

HI all,
I am new to spring security and developing some  basic samples. I want to lock the user acccount after 3 failed loging attempts.
i have a table in DB named users with enabled field.

I have written application event listener as well.\
But my problem is how do i lock this user.
I m getting javax.servlet.ServletException: Filter execution threw an exception

need your help.
I m pasting my code.public  class EventListener  extends JdbcDaoImpl implements ApplicationListener,InitializingBean {
// public static final int maxCount = 3;  // static int failedLoginAttempts = 0;
int status ;
String count;TestUserDetailsService userDetailsService;
// public abstract boolean canHandle(Object event);   
// public abstract void handle(Object event);
@Override
public void onApplicationEvent(ApplicationEvent event) {if ( event instanceof AuthorizedEvent )
{
AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
System.out.println ( quot;authorized:quot; + authorizedEvent );
}
else if ( event instanceof AuthorizationFailureEvent )
{
AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
System.out.println ( quot;not authorized:quot; + authorizationFailureEvent );
}
else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
{
AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
System.out.println ( quot;badCredentials:quot; + badCredentialsEvent );
Object name = badCredentialsEvent.getAuthentication().getPrincip  al();   
System.out.println(quot;namequot; + name);

int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
userDetailsService.setFailedLoginAttempts(++failed  LoginAttempts);
System.out.println(quot;failedattempsquot; + userDetailsService.getFailedLoginAttempts());
if(userDetailsService.getFailedLoginAttempts() gt;= 3){
System.out.println(quot;update users set enabled = 'NO' where userName='quot; +name+ quot;'quot;);
this.getJdbcTemplate().update(quot;update users set enabled = 'NO' where userName='quot; +name+ quot;'quot;);
}count =(String)this.getJdbcTemplate().queryForObject(quot;se  lect enabled from users where userName='quot; +name+ quot;'quot;, String.class);if(count==quot;NOquot;){
throw new LockedException(quot;user has been lockdedquot;);
}
}
else if ( event instanceof AuthenticationSuccessEvent )
{
AuthenticationSuccessEvent authenticationSuccessEvent = ( AuthenticationSuccessEvent ) event;
System.out.println ( quot;authSuccess:quot; + authenticationSuccessEvent );
}
else
{
System.out.println ( quot;undefined: quot; + event.getClass ().getName () );
}
}I am not able to configure locked exception

use [ code][/code ] tags when posting code  

You use a Filter, that isn't a spring bean, hence your JdbcTemplate will resolve/result in an exception.

[ code]

public void onApplicationEvent(ApplicationEvent event) {if ( event instanceof AuthorizedEvent )
{
AuthorizedEvent authorizedEvent = ( AuthorizedEvent ) event;
System.out.println ( quot;authorized:quot; + authorizedEvent );
}
else if ( event instanceof AuthorizationFailureEvent )
{
AuthorizationFailureEvent authorizationFailureEvent = ( AuthorizationFailureEvent ) event;
System.out.println ( quot;not authorized:quot; + authorizationFailureEvent );
}
else if ( event instanceof AuthenticationFailureBadCredentialsEvent )
{
AuthenticationFailureBadCredentialsEvent badCredentialsEvent = ( AuthenticationFailureBadCredentialsEvent ) event;
System.out.println ( quot;badCredentials:quot; + badCredentialsEvent );
Object name = badCredentialsEvent.getAuthentication().getPrincip  al();   
System.out.println(quot;namequot; + name);

int failedLoginAttempts = userDetailsService.getFailedLoginAttempts();
userDetailsService.setFailedLoginAttempts(++failed  LoginAttempts);
System.out.println(quot;failedattempsquot; + userDetailsService.getFailedLoginAttempts());
if(userDetailsService.getFailedLoginAttempts() gt;= 3){
System.out.println(quot;update users set enabled = 'NO' where userName='quot; +name+ quot;'quot;);
this.getJdbcTemplate().update(quot;update users set enabled = 'NO' where userName='quot; +name+ quot;'quot;);
throw new LockedException(quot;user account has been lockedquot;);

}count =(String)this.getJdbcTemplate().queryForObject(quot;se  lect enabled from users where userName='quot; +name+ quot;'quot;, String.class);if(count==quot;NOquot;){
throw new LockedException(quot;user has been lockdedquot;);
}
}
[/code ]
HOw do I lock the user, in Db its updating properly enabled field

I see a number of issues with the code that are unrelated to Spring Security.

1gt; Is 'count==quot;NOquot;' how you are determining whether you throw a locked exception? If so, I don't see how this would ever work.
2gt; I would strongly recommend that you use PreparedStatements instead of simple string concatenation, otherwise you will be absolutely vulnerable to SQL injection attacks.
3gt; quot;==quot; is not a good way to compare strings.
4gt; I don't have the Javadoc / source at hand at the moment, but is setFailedLoginAttempts a custom method that you have written which updates the database? If not, I don't think this code will ever work unless you are somehow tracking this count in the database via your user service.

Hope this helps - it looks like you may benefit from doing some more reading about how to use Spring JDBC as well.
This Thread is Moderate by root at 2011-4-25 07:52 Move
Favor Share Rate
Reply Quote

Subscribe TOP

¥
Back Forum Reply New