DevOps

Logging Failed and Successful Authentication Attempts with SpringBoot

Introduction

In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications, a mentioned is made regarding identification and authentication failures (A07:2021 – Identification and Authentication Failures). Previously known as “Broken authentication” it refers to the dangers a web application has from week authentication implementations. Bellow I am going to demonstrate the implementation of one of the counter measures which is to be able to log authentication attempts whether these are successful or not.

Implementation

In order to avoid boilerplate code I am using lombok to create the Slf4J logger.

Log Success

The steps are the following

  1. We create a service that “listens” for the success logins
  2. Extract the username
  3. Extract the IP address
  4. Log it

For the first step we need to create a component, lets call it AuthenticationFailureListener that will implement the interface ApplicationListener<AuthenticationFailureBadCredentialsEvent>

There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.

If we add all that the code should be something similar to the snippet bellow

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Component
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {
    @Autowired
    private HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        //get the X-Forwarded-For header so that we know if the request is from a proxy
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            //no proxy
            log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            //from proxy
            log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
        }
    }
}

You should get a response similar to

2022-08-17 01:50:42.325 ERROR 81901 --- [io-8080-exec-10] .d.u.m.m.s.AuthenticationSuccessListener : Successful login attempt for alexius from 0:0:0:0:0:0:0:1

Log Failure

  1. We create a service that “listens” for the failed logins
  2. Extract the username
  3. Extract the IP address
  4. Log it

For the first step we need to create a component, lets call it AuthenticationSuccessListener that will implement the interface ApplicationListener<AuthenticationSuccessEvent>

There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Component
public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

    @Autowired
    private HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
        }
    }
}

If we add all that the code should be something similar to the snippet bellow

2022-08-17 02:22:51.377 ERROR 82022 --- [nio-8080-exec-4] .d.u.m.m.s.AuthenticationFailureListener : Failed login attempt for alexius from 0:0:0:0:0:0:0:1

Published on Java Code Geeks with permission by Alexius Diakogiannis, partner at our JCG program. See the original article here: Logging Failed and Successful Authentication Attempts with SpringBoot

Opinions expressed by Java Code Geeks contributors are their own.

Alexius Diakogiannis

Author of JEE.gr, JEE Architect, Scrum Master, Enthusiastic Entrepreneur, Passionate Archer, Linux Lover and JAVA Geek!
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button