Prevent Brute Force Authentication Attempts with Spring Security

Brute force attacks are a common threat where an attacker tries multiple combinations of usernames and passwords to gain authorized access to the system. To protect against such attacks, it is crucial to implement mechanisms that can detect and block repeated failed login attempts. Spring Security can provide robust support to help mitigate these threats. In this article, we will learn how to prevent brute-force authentication attempts using Spring Security.

The main idea is to track the number of failed login attempts and lock the user account temporarily after the predefined number of unsuccessful attempts. We will use the in-memory approach for simplicity but it can extended to use the database for better scalability of the application.

Implementation of Prevent Brute Force Authentication Attempts with Spring Security

Step 1: Create a Spring Project

Create a new Spring project using spring Initializr. On creating the project, add the following dependencies.

Dependencies:

• Spring Web
• Spring Security
• Lombok
• Spring DevTools
• Spring Data JPA
• MySQL Driver

After creating the project, the folder structure will be like below image:

Step 2: Configure the Application Properties

Open the application.properties file and add the configuration for the MySQL database

spring.application.name=security-prevent-bruteforce

MySQL database configuration
spring.datasource.url=jdbc:mysql://localhost:3306/securityUser
spring.datasource.username=root
spring.datasource.password=
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

# Hibernate properties
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
spring.thymeleaf.cache=false
spring.main.allow-circular-references=true

This configures the MySQL database connection and Hibernate properties.

Step 3: Create the SecurityConfig class

Create the SecurityConfig class that implements the security configuration of the Spring Boot application.

Go to src > main > java > com.demo.springpreventbruteforce > config > SecurityConfig and enter the below code.

Explanation:

• Configures the Spring Security with custom login and logout pages, permiting access to the /login and /blocked while securing the other endpoints of the Spring application.
• We use the custom authentication provider CustomAuthenticationProvider for handling the authentication logic.
• Implements the password encoding with BCryptPasswordEncoder for securing the password hashing.
• Set up the in-memory user details service with the single user for basic authentication.

Step 4: Create the CustomAuthenticationProvider class

Create the CustomAuthenticationProvider class that implements custom authentication logic.

Go to src > main > java > com.demo.springpreventbruteforce > config > CustomAuthenticationProvider and enter the below code.

Explanation:

• Brute Force Protection: Checks of the user is blocked due to too many failed login attempts using BruteForceProtectionService and blocks the authentication if necessary.
• User Authentication: Retrieves the user details and verifies the password using the userDetailsService and PasswordEndcoder.
• Login Attempts Tracking: It calls the BruteForceProtectionService to record the failed or successful login attempts based on the authentication result of the application.
• Authentication Provider Support: It specifies that this provider supports the UsernamePasswordAuthenticationToken for authentication.

Step 5: Create the BruteForceProtectionService Class

Create the BruteForceProtectionService class to handle tracking and blocking of failed login attempts.

Go to src > main > java > com.demo.springpreventbruteforce > service > BruteForceProtectionService and enter the below code.

Explanation:

• Max Attempts and Lock Time: Defines the maximum allowed the login attempts MAX_ATTEMPT = 5 and lock duration LOCK_TIME = 15 minutes for the failed login attempts.
• Login Success Handling: It clears the failed attempts and unlocks the user by removing their entries from attemptsCache and lockCache.
• Login Failure Handling: It increments the failed attempts to count for the user in attemptsCache. If attempts the exceed the maximum limit, records the current time to lock the user.
• Block Check: It determines if user is currently blocked by checking if the lock time has expired. If the lock time has passed then the user is removed from the lockCache and no longed blocked.

Step 6: Create the AuthController Class

Create the AuthController class to handle login requests.

Go to src > main > java > com.demo.springpreventbruteforce > controller > AuthController and put the below code.

This controller handles the GET request for the login page.

Step 7: Create the HomeController Class

Create the HomeController class to handle home and blocked pages.

Go to src > main > java > com.demo.springpreventbruteforce > controller > HomeController and enter the below code.

This controller handles the GET requests for the home and blocked pages.

Step 8: Main Class

No changes are required in the main class.

This is the main entry point for the Spring Boot application.

Step 9: Create the Login HTML page

Create the login.html page for the login view.

Go to src > main > resources > templates > login.html and enter the below HTML code.

This HTML page creates a simple login form with Bootstrap styling.

Step 10: Create the Home HTML page

Create the home.html page for the home page

Go to src > main > resources > templates > home.html and put the below HTML code.

The home.html page displays a welcome message upon successful login. It uses Bootstrap for styling and includes a card component with a header and body to present the message.

Step 11: Create the Block HTML page

Go to src > main > resources > templates > block.html and put the below HTML code.

The block.html page informs the user that their account has been temporarily locked due to too many failed login attempts. It also uses Bootstrap for styling and displays the message in a card component.

pom.xml file:

Step 12: Run the application

Run the application, which will start on port 8080.

Step 13: Testing the Application

Login Page:

Navigate to http://localhost:8080/login. If the credentials are correct, it will redirect to the home page.

http://localhost:8080/login

Output:

Home Page:

Navigate to http://localhost:8080/home to view the home page after successful login.

http://localhost:8080/home

Output:

If you are trying multiple times, then your account will be temporarily blocked.

Blocked Page:

If multiple failed login attempts are made, the account will be temporarily locked, and the user will be redirected to http://localhost:8080/block.

http://localhost:8080/block

Output:

Conclusion

With this setup, we have the Spring Boot application that can protect against brute force attacks by temporarily locking the user accounts after the number of failed login attempts of the application. This basic implementation can be extended to use the database to store user details and failed login attempts for the better scalability of the Spring Boot application.