Spring security 2.0.3 & Dictionary attacks

Question

I'm running spring security 2.0.3 and i need to implement a simple dictionary attack block , the implantation is quite trivial , adding a property of of userstatus and a value of blocked when the value is assigned when he has X times of wrong login attempts since the last login . the problem is how to redirect via spring security to an appropriate page or even better
redirect to login.jsp and trough some session marker block the inputs (this is JS block only ofcours but still i need it) , spring security's UserDetailService interface defines a loadByUserName method which enables me to throw a BadCredentialsException extension of my own but the ExceptionTranslationFilter doesn't let me utilize it , is there a built in way to do it with spring or do i have to hack something ? thanks

Answer 1

I would take a look at section 2.3.5 of the documentation. The way I would do this is implement either a Pre-auth filter or an Authentication Processing filter that implements your check against a brute-force style attack. You probably will want to create a filter that, in most cases just delegates to the original filter class, except for a check to see whether the user made too many requests etc. Alternatively, you could also override all of the functionality rather than having to delegate to the original filter.

Answer 2

Implement an AuthenticationFailureHandler that updates the count/blocked flag in the DB and does the redirect. I wouldn't count on using the session because the attacker is not going to be sending cookies anyway.