Prevent login attempts with curl / http post in spring application

Question

Prevent login attempts with curl / http post in spring application

I have a spring web application hosted on amazon and am facing login attacks from some automated machines. It’s clear from my logs that they bypass the login page and use something like:

curl --data "j_username=xxx&j_password=yyy" http://www.mysecureurl.com/j_spring_security_check

My question is how to prevent such attacks. Is there a way to block logins that do not come directly from the login page through the spring configuration?

Then I will implement additional security measures, such as captcha, lockout-after-3-wrong-attempts, etc., when the user tries to go to the login page.

+4

java spring spring-security

Supra May 30, '13 at 6:45

source share

4 answers

Ralph · Answer 1 · 2013-05-30T07:46:26+0000

You can implement a Cross Site Request Subroutine (CSRF) - Nonce-Token pattern.

In other words,

generates a random token (for each user a different one).
puts this token in a user session
add it as a hidden field in the user login form
if you get a login request, than checking if the submitted token matches the session marker, and if not, send them denid access

BTW:

You can use this template not only for your login page, but for all requests that change the state of the server. (to prevent CSRF-Attacs)
Spring Security> = 3.2 has an assembly in CSRF-Prevetion

Maksym demidas · Answer 2 · 2013-05-30T08:53:00+0000

If all requests coming from the same IP address, you can use the hasIpAddress expression:

 <security:intercept-url pattern="/secure" access="isAuthenticated() and !hasIpAddress('11.11.111.11')" />

This is a temporary hack because attackers can change their IP address.

Supra · Answer 3 · 2013-07-04T11:07:56+0000

This is how I solved my problem thanks to all the answers above.

1. Add a special filter to my spring security: <custom-filter position="FORM_LOGIN_FILTER" ref="loginFilter" />

2. A random string is formed in the login controller and place it in an http session

 String random = UUID.randomUUID().toString().toLowerCase().replaceAll("-", ""); request.getSession().setAttribute("userKeyInSession", random);

3. Also passed this random key to the login page so that the jsp login can present this as a hidden parameter along with the submit form.

 model.addAttribute("userKey", random); return "login";

4. In LoginFilter, I now do a simple string comparison between the request parameter and the random value in the session. If they do not match, I reject and do not authenticate.

Read more: Captcha, etc. to prevent attacks from the user interface.

Sagar shroff · Answer 4 · 2013-09-21T13:41:12+0000

It looks like you are using the default login options provided by Spring-Security. The default name and password attribute attribute is j_username and j_password . Therefore, if you change your page login username and password name attribute for a particular application, then you can avoid such attacks, because in this case only you will know the attribute name of the actual values and password, and no one else, and, this way no one will be able to send an http hack request to you.

Prevent login attempts with curl / http post in spring application

More articles: