We're using spring security 3.0.5, Java 1.6 and Tomcat 6.0.32. In our .xml config file we've got:
<form-login login-page="/index.html" default-target-url="/postSignin.html" always-use-default-target="true" authentication-failure-handler-ref="authenticationFailureHandler"/>
and our authenticationFailureHandler
defined as:
<beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> <beans:property name="exceptionMappings"> <beans:props> <beans:prop key="org.springframework.security.authentication.BadCredentialsException">/index.html?authenticationFailure=true</beans:prop> </beans:props> </beans:property> </beans:bean>
Java
@RequestMapping(params={"authenticationFailure=true"}, value ="/index.html") public String handleInvalidLogin(HttpServletRequest request) { //... How can I get the username that was used??? // I've tried: Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME_KEY"); Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME"); // deprecated }
So we're directing all BadCredentialsExceptions
to the index.html
and IndexController
. In the IndexController
I'd like to get the username
that was used for the failed login attempt. How can I do this?
A user can login failed 3 times maximum. His account will be locked on the last failed attempt. The user account is locked during 24 hours. That means after this duration the user account will be unlocked (upon the next login attempt).
Okay so the answer turned out to be something extremely simple yet as far as I can tell, not greatly discussed or documented.
Here's all I had to do (no configurations anywhere just created this class)...
import org.apache.log4j.Logger; import org.springframework.context.ApplicationListener; import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent; import org.springframework.stereotype.Component; @Component public class MyApplicationListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> { private static final Logger LOG = Logger.getLogger(MyApplicationListener.class); @Override public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) { Object userName = event.getAuthentication().getPrincipal(); Object credentials = event.getAuthentication().getCredentials(); LOG.debug("Failed login using USERNAME [" + userName + "]"); LOG.debug("Failed login using PASSWORD [" + credentials + "]"); } }
I'm far from a spring security expert so if anyone reads this and knows of a reason we shouldn't do it like this or knows a better way I'd love to hear about it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With