Spring Security可以为您做很多事情。

帐户被封锁，密码盐。 但是蛮力阻断剂呢？

那是你必须自己做的。

幸运的是，Spring是一个非常灵活的框架，因此对其进行配置并不是什么大问题。

让我向您展示一些如何针对Grails应用程序执行此操作的指南。

首先，您必须在config.groovy中启用springSecurityEventListener

grails.plugins.springsecurity.useSecurityEventListener = true

然后实现监听器
在/ src / bruteforce中创建类

/**
Registers all failed attempts to login. Main purpose to count attempts for particular account ant block user*/
class AuthenticationFailureListener implements ApplicationListener {LoginAttemptCacheService loginAttemptCacheService@Overridevoid onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) {loginAttemptCacheService.failLogin(e.authentication.name)}
}

接下来，我们必须创建用于成功登录的侦听器
在同一包装中

/**Listener for successfull logins. Used for reseting number on unsuccessfull logins for specific account
*/
class AuthenticationSuccessEventListener implements ApplicationListener{LoginAttemptCacheService loginAttemptCacheService@Overridevoid onApplicationEvent(AuthenticationSuccessEvent e) {loginAttemptCacheService.loginSuccess(e.authentication.name)}
}

我们没有将它们放在grails-app文件夹中，因此我们需要将这些类作为spring bean重新命名。
在grails-app / conf / spring / resources.groovy中添加下一行

beans = {authenticationFailureListener(AuthenticationFailureListener) {loginAttemptCacheService = ref('loginAttemptCacheService')}authenticationSuccessEventListener(AuthenticationSuccessEventListener) {loginAttemptCacheService = ref('loginAttemptCacheService')}
}

您可能会注意到LoginAttemptCacheService loginAttemptCacheService的用法
让我们实现它。 这将是典型的grails服务

package com.picsel.officeanywhereimport com.google.common.cache.CacheBuilder
import com.google.common.cache.CacheLoader
import com.google.common.cache.LoadingCacheimport java.util.concurrent.TimeUnit
import org.apache.commons.lang.math.NumberUtils
import javax.annotation.PostConstructclass LoginAttemptCacheService {private LoadingCacheattempts;private int allowedNumberOfAttemptsdef grailsApplication@PostConstructvoid init() {allowedNumberOfAttempts = grailsApplication.config.brutforce.loginAttempts.allowedNumberOfAttemptsint time = grailsApplication.config.brutforce.loginAttempts.timelog.info 'account block configured for $time minutes'attempts = CacheBuilder.newBuilder().expireAfterWrite(time, TimeUnit.MINUTES).build({0} as CacheLoader);}/*** Triggers on each unsuccessful login attempt and increases number of attempts in local accumulator* @param login - username which is trying to login* @return*/def failLogin(String login) {def numberOfAttempts = attempts.get(login)log.debug 'fail login $login previous number for attempts $numberOfAttempts'numberOfAttempts++if (numberOfAttempts > allowedNumberOfAttempts) {blockUser(login)attempts.invalidate(login)} else {attempts.put(login, numberOfAttempts)}}/*** Triggers on each successful login attempt and resets number of attempts in local accumulator* @param login - username which is login*/def loginSuccess(String login) {log.debug 'successfull login for $login'attempts.invalidate(login)}/*** Disable user account so it would not able to login* @param login - username that has to be disabled*/private void blockUser(String login) {log.debug 'blocking user: $login'def user = User.findByUsername(login)if (user) {user.accountLocked = true;user.save(flush: true)}}
}

我们将使用Google番石榴库中的CacheBuilder。 因此，将下一行添加到BuildConfig.groovy

dependencies {runtime 'com.google.guava:guava:11.0.1'}

最后一步，将服务配置添加到cinfig.groovy

brutforce {loginAttempts {time = 5allowedNumberOfAttempts = 3}

就是这样，您准备运行您的应用程序。
对于典型的Java项目，几乎一切都是一样的。 相同的侦听器和相同的服务。
有关Spring Security Events的更多信息 有关使用Google番石榴进行缓存的更多信息

Grails用户可以简单地使用此插件https://github.com/grygoriy/bruteforcedefender

祝您编程愉快，别忘了分享！

参考： Grygoriy Mykhalyuno博客博客中的JCG合作伙伴 Grygoriy Mykhalyuno 使用Spring Security防止暴力攻击 。

翻译自: https://www.javacodegeeks.com/2012/10/spring-security-prevent-brute-force.html