All geek questions in one place

Java library for advanced user account protection

I am looking for a library to provide advanced protection for user accounts for web applications. I need the following functions:

1) Locking the user account after several unsuccessful login attempts in a certain period of time.
2) The password is valid for N days.
3) tracking password history for each user.

Is there a suitable solution for all or some of these needs?

Thanks in advance!

+4
source share
3 answers

You can accomplish all this using Spring . and Spring Security

1) Locking the user account after several unsuccessful login attempts in a certain period of time.

You can use Spring Security and count the number of failed attempts and the bock user here - this article

General Problem # 3: How to disconnect a user after several failed logins?

The general requirement of the user is to disable / block the account after several unsuccessful login attempts. Acegi itself does not provide anything out of the box, however in your application you can implement and register org.springframework.context.ApplicationListener. Inside the application event listener, you can check an instance of a specific AuthenticationFailureEvent, and then call your application’s management interface to update user information.

For instance:

public void onApplicationEvent(ApplicationEvent event) { // check failed event if(event instanceof AuthenticationFailurePasswordEvent){ // call user management interface to increment failed login attempts, etc. . . . } }

2) The password is valid for N days.

You can schedule a task using Spring Quartz Support , which resets the password. You can also have an ExpiryDate field in the database and can fire a trigger every day @ 0000 hours and do things

3) Tracking password history for each user.

using the DB, you can use the password usage history, and you can use Spring-DAO to make it easy.

btw, if you find any framework specifically designed for this lee me know :)

+1
source

I think that your requirements are not so difficult to implement without the need for an external library.

  • You can save the number of unsuccessful attempts to enter the column of your client_user in the database and during the increase of the runtime if it is detected during your specified timeframe.
  • The date_modified password can be stored in another column, so you can check it at run time if the login attempt has exceeded this number of days.
  • Something complicated, because passwords are usually stored as hashes of some kind, so it makes no sense to store historical values.
+1
source

I do not know any structure that provides these functions, but I am not sure that I will try to find it. These are very simple requirements that could easily be encoded independently, perhaps in less time than it takes to learn the new structure. Then you avoid structure dependency.

For more complex security requirements, I would recommend Spring Security .

0
source

Source: https://habr.com/ru/post/1338239/

More articles:


All Articles