Fixed auth login failure logging

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
Andrew DeMaria 8 years ago
parent b95c077c6f
commit b108787f1b
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 8
      libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java
  2. 12
      libresonic-main/src/main/java/org/libresonic/player/security/LoginFailureListener.java
  3. 39
      libresonic-main/src/main/java/org/libresonic/player/security/LoginFailureLogger.java
  4. 23
      libresonic-main/src/main/java/org/libresonic/player/security/RESTRequestParameterProcessingFilter.java
  5. 4
      libresonic-main/src/main/resources/META-INF/spring.factories

@ -8,6 +8,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
@ -36,15 +37,14 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
@Autowired @Autowired
private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher; private CsrfSecurityRequestMatcher csrfSecurityRequestMatcher;
@Autowired
LoginFailureLogger loginFailureLogger;
@Autowired @Autowired
SettingsService settingsService; SettingsService settingsService;
@Autowired @Autowired
LibresonicUserDetailsContextMapper libresonicUserDetailsContextMapper; LibresonicUserDetailsContextMapper libresonicUserDetailsContextMapper;
@Autowired
ApplicationEventPublisher eventPublisher;
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
@ -115,7 +115,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
RESTRequestParameterProcessingFilter restAuthenticationFilter = new RESTRequestParameterProcessingFilter(); RESTRequestParameterProcessingFilter restAuthenticationFilter = new RESTRequestParameterProcessingFilter();
restAuthenticationFilter.setAuthenticationManager(authenticationManagerBean()); restAuthenticationFilter.setAuthenticationManager(authenticationManagerBean());
restAuthenticationFilter.setSecurityService(securityService); restAuthenticationFilter.setSecurityService(securityService);
restAuthenticationFilter.setLoginFailureLogger(loginFailureLogger); restAuthenticationFilter.setEventPublisher(eventPublisher);
http = http.addFilterBefore(restAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); http = http.addFilterBefore(restAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
http http

@ -19,6 +19,8 @@
package org.libresonic.player.security; package org.libresonic.player.security;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent; import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener; import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AbstractAuthenticationToken;
@ -29,9 +31,9 @@ import org.springframework.security.web.authentication.WebAuthenticationDetails;
* @author Sindre Mehus * @author Sindre Mehus
* @version $Id$ * @version $Id$
*/ */
public class LibresonicApplicationEventListener implements ApplicationListener { public class LoginFailureListener implements ApplicationListener {
private LoginFailureLogger loginFailureLogger; private static final Logger LOG = LoggerFactory.getLogger(LoginFailureListener.class);
@Override @Override
public void onApplicationEvent(ApplicationEvent event) { public void onApplicationEvent(ApplicationEvent event) {
@ -40,14 +42,10 @@ public class LibresonicApplicationEventListener implements ApplicationListener {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) event.getSource(); AbstractAuthenticationToken token = (AbstractAuthenticationToken) event.getSource();
Object details = token.getDetails(); Object details = token.getDetails();
if (details instanceof WebAuthenticationDetails) { if (details instanceof WebAuthenticationDetails) {
loginFailureLogger.log(((WebAuthenticationDetails) details).getRemoteAddress(), String.valueOf(token.getPrincipal())); LOG.info("Login failed from [" + ((WebAuthenticationDetails) details).getRemoteAddress() + "]");
} }
} }
} }
} }
public void setLoginFailureLogger(LoginFailureLogger loginFailureLogger) {
this.loginFailureLogger = loginFailureLogger;
}
} }

@ -1,39 +0,0 @@
/*
* This file is part of Libresonic.
*
* Libresonic is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Libresonic is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Libresonic. If not, see <http://www.gnu.org/licenses/>.
*
* Copyright 2015 (C) Sindre Mehus
*/
package org.libresonic.player.security;
import org.libresonic.player.Logger;
import org.springframework.stereotype.Component;
/**
* Logs login failures. Can be used by tools like fail2ban for blocking IP addresses.
*
* @author Sindre Mehus
* @version $Id$
*/
@Component
public class LoginFailureLogger {
private static final Logger LOG = Logger.getLogger(LoginFailureLogger.class);
public void log(String remoteAddress, String username) {
LOG.info("Login failed for [" + username + "] from [" + remoteAddress + "]");
}
}

@ -28,11 +28,15 @@ import org.libresonic.player.domain.User;
import org.libresonic.player.domain.Version; import org.libresonic.player.domain.Version;
import org.libresonic.player.service.SecurityService; import org.libresonic.player.service.SecurityService;
import org.libresonic.player.util.StringUtil; import org.libresonic.player.util.StringUtil;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.util.matcher.RegexRequestMatcher; import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
@ -60,7 +64,8 @@ public class RESTRequestParameterProcessingFilter implements Filter {
private final JAXBWriter jaxbWriter = new JAXBWriter(); private final JAXBWriter jaxbWriter = new JAXBWriter();
private AuthenticationManager authenticationManager; private AuthenticationManager authenticationManager;
private SecurityService securityService; private SecurityService securityService;
private LoginFailureLogger loginFailureLogger; private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private ApplicationEventPublisher eventPublisher;
private static RequestMatcher requiresAuthenticationRequestMatcher = new RegexRequestMatcher("/rest/.+",null); private static RequestMatcher requiresAuthenticationRequestMatcher = new RegexRequestMatcher("/rest/.+",null);
@ -110,15 +115,12 @@ public class RESTRequestParameterProcessingFilter implements Filter {
} }
if (errorCode == null) { if (errorCode == null) {
errorCode = authenticate(username, password, salt, token, previousAuth); errorCode = authenticate(httpRequest, username, password, salt, token, previousAuth);
} }
if (errorCode == null) { if (errorCode == null) {
chain.doFilter(request, response); chain.doFilter(request, response);
} else { } else {
if (errorCode == RESTController.ErrorCode.NOT_AUTHENTICATED) {
loginFailureLogger.log(request.getRemoteAddr(), username);
}
SecurityContextHolder.getContext().setAuthentication(null); SecurityContextHolder.getContext().setAuthentication(null);
sendErrorXml(httpRequest, httpResponse, errorCode); sendErrorXml(httpRequest, httpResponse, errorCode);
} }
@ -138,7 +140,7 @@ public class RESTRequestParameterProcessingFilter implements Filter {
return null; return null;
} }
private RESTController.ErrorCode authenticate(String username, String password, String salt, String token, Authentication previousAuth) { private RESTController.ErrorCode authenticate(HttpServletRequest httpRequest, String username, String password, String salt, String token, Authentication previousAuth) {
// Previously authenticated and username not overridden? // Previously authenticated and username not overridden?
if (username == null && previousAuth != null) { if (username == null && previousAuth != null) {
@ -159,12 +161,14 @@ public class RESTRequestParameterProcessingFilter implements Filter {
} }
if (password != null) { if (password != null) {
try {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
authRequest.setDetails(authenticationDetailsSource.buildDetails(httpRequest));
try {
Authentication authResult = authenticationManager.authenticate(authRequest); Authentication authResult = authenticationManager.authenticate(authRequest);
SecurityContextHolder.getContext().setAuthentication(authResult); SecurityContextHolder.getContext().setAuthentication(authResult);
return null; return null;
} catch (AuthenticationException x) { } catch (AuthenticationException x) {
eventPublisher.publishEvent(new AuthenticationFailureBadCredentialsEvent(authRequest, x));
return RESTController.ErrorCode.NOT_AUTHENTICATED; return RESTController.ErrorCode.NOT_AUTHENTICATED;
} }
} }
@ -213,8 +217,7 @@ public class RESTRequestParameterProcessingFilter implements Filter {
this.securityService = securityService; this.securityService = securityService;
} }
public void setEventPublisher(ApplicationEventPublisher eventPublisher) {
public void setLoginFailureLogger(LoginFailureLogger loginFailureLogger) { this.eventPublisher = eventPublisher;
this.loginFailureLogger = loginFailureLogger;
} }
} }

@ -1 +1,3 @@
org.springframework.context.ApplicationListener=org.libresonic.player.spring.LoggingFileOverrideListener org.springframework.context.ApplicationListener=\
org.libresonic.player.spring.LoggingFileOverrideListener,\
org.libresonic.player.security.LoginFailureListener

Loading…
Cancel
Save