I am working on a application where at some places I need to introduce captcha if N number of attempts failed. These places can be signup, login, add to wishlist, subscribe etc. It is also to ensure that denial of service attack and brute force attack cannot be attempted by anyone. Is there a mechanism for this in Spring Security?
There is nothing in Spring Security directly, but it should be easy to store the login count in the users session and check that count in your JSP to render a CAPTCHA is neccessary.
Implement an AuthenticationFailureHandler that updates a count/time in the DB. You can't count on using the session because the attacker is not going to be sending cookies anyway.
Implementation done using JCaptcha and SpringMVC
http://parasjain.net/2008/11/11/jcaptcha-with-spring/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With