Logging Failed and Successful Authentication Attempts with SpringBoot

Introduction

In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications, a mentioned is made regarding identification and authentication failures (A07:2021 – Identification and Authentication Failures). Previously known as “Broken authentication” it refers to the dangers a web application has from week authentication implementations. Bellow I am going to demonstrate the implementation of one of the counter measures which is to be able to log authentication attempts whether these are successful or not.

Implementation

In order to avoid boilerplate code I am using lombok to create the Slf4J logger.

Log Success

The steps are the following

  1. We create a service that “listens” for the success logins
  2. Extract the username
  3. Extract the IP address
  4. Log it

For the first step we need to create a component, lets call it AuthenticationFailureListener that will implement the interface ApplicationListener<AuthenticationFailureBadCredentialsEvent>

There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.

If we add all that the code should be something similar to the snippet bellow

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Component
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {
    @Autowired
    private HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        //get the X-Forwarded-For header so that we know if the request is from a proxy
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            //no proxy
            log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            //from proxy
            log.error("Successful login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
        }
    }
}

You should get a response similar to

2022-08-17 01:50:42.325 ERROR 81901 --- [io-8080-exec-10] .d.u.m.m.s.AuthenticationSuccessListener : Successful login attempt for alexius from 0:0:0:0:0:0:0:1

Log Failure

  1. We create a service that “listens” for the failed logins
  2. Extract the username
  3. Extract the IP address
  4. Log it

For the first step we need to create a component, lets call it AuthenticationSuccessListener that will implement the interface ApplicationListener<AuthenticationSuccessEvent>

There we will need to Autowire an HttpServletRequest in order to get the ip address. the address will either be on this object of if the request is coming from a proxy it will be extracted from the X-Forwarded-For header.

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

@Slf4j
@Component
public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

    @Autowired
    private HttpServletRequest request;

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null){
            log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), request.getRemoteAddr());
        } else {
            log.error("Failed login attempt for {} from {}", event.getAuthentication().getName(), xfHeader.split(",")[0]);
        }
    }
}

If we add all that the code should be something similar to the snippet bellow

2022-08-17 02:22:51.377 ERROR 82022 --- [nio-8080-exec-4] .d.u.m.m.s.AuthenticationFailureListener : Failed login attempt for alexius from 0:0:0:0:0:0:0:1

Passionate Archer, Runner, Linux lover and JAVA Geek! That's about everything! Alexius Dionysius Diakogiannis is a Senior Java Solutions Architect and Squad Lead at the European Investment Bank. He has over 20 years of experience in Java/JEE development, with a strong focus on enterprise architecture, security and performance optimization. He is proficient in a wide range of technologies, including Spring, Hibernate and JakartaEE. Alexius is a certified Scrum Master and is passionate about agile development. He is also an experienced trainer and speaker, and has given presentations at a number of conferences and meetups. In his current role, Alexius is responsible for leading a team of developers in the development of mission-critical applications. He is also responsible for designing and implementing the architecture for these applications, focusing on performance optimization and security.