用户三次错误尝试后显示验证码
我正在开发一个应用程序,在某些地方,如果 N 次尝试失败,我需要引入验证码。这些地方可以是注册、登录、添加到愿望清单、订阅等。这也是为了确保任何人都无法尝试拒绝服务攻击和暴力攻击。 Spring Security 中有这样的机制吗?
I am working on a application where at some places I need to introduce captcha if N number of attempts failed. These places can be signup, login, add to wishlist, subscribe etc. It is also to ensure that denial of service attack and brute force attack cannot be attempted by anyone. Is there a mechanism for this in Spring Security?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
Spring Security 中没有直接的内容,但应该很容易将登录计数存储在用户会话中,并检查 JSP 中的计数以呈现验证码是必要的。
There is nothing in Spring Security directly, but it should be easy to store the login count in the users session and check that count in your JSP to render a CAPTCHA is neccessary.
实现一个 AuthenticationFailureHandler 来更新数据库中的计数/时间。您不能指望使用会话,因为攻击者无论如何都不会发送 cookie。
Implement an AuthenticationFailureHandler that updates a count/time in the DB. You can't count on using the session because the attacker is not going to be sending cookies anyway.
使用 JCaptcha 和 SpringMVC 实现
http://parasjain.net/2008/11/11/jcaptcha-with-spring/
Implementation done using JCaptcha and SpringMVC
http://parasjain.net/2008/11/11/jcaptcha-with-spring/
如果您将 reCAPTCHA 与 Spring Security 一起使用,这会很有帮助http://krams915.blogspot.com/2011/02/spring-security-3-integrating-recaptcha。 html
If you are using reCAPTCHA with Spring Security, this is helpful http://krams915.blogspot.com/2011/02/spring-security-3-integrating-recaptcha.html