A brute force login is a method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The user tries multiple usernames and passwords, until they find the correct login information.
In this blog i have mentioned in detail, how we can provide some custom error message to user after certain attempts, which will help the user not to give further attempt once the user get the custom message.
Hybris OOTB Functionality:
Hybris OOTB provides a functionality when some user tries to login into site and if the user provides a wrong credentials, the system will provide an error message the “Your username or password was incorrect”.
For every user there is on attribute in the UserModel.
Until 5 unsuccessful attempt this disable login attribute will remain false, but after 5 unsuccessful login attempt within certain time frame the disable login attribute going to set as true. And the user account going to be blocked. And once it has been set true it won’t allow user to login into the site even if you provide the correct credentials. Even after the account is being disabled now but the error message which user receives in the frontend is still same. So in order to notify to user that this account has been blocked. There is always client requirement to show some custom message which says that account has been blocked so the user don’t invest more time in login .
Note: This is generally client requirement to give custom error message to give better customer experience. But this make system vulnerable. As if some hacker is trying to login with random credentials. And once system start showing this error message then hacker will going to be sure that this userId exists in this system.
So in this blog we will see how we can achieve this custom error message functionality and what all files changes are required to do, in order to achieve this.
Detailed flow of existing Functionality:
As soon as user clicks on the login button after entering the credentials. doLogin() method inside the LoginPageController is going to call which internally calls the filter which is OOTB class (AbstractAcceleratorAuthenticationProvider) which is there in acceleratorstorefrontcommons extension where all this logic related to to disable the user is being written.
DefaultBruteForceAttackCounter is the class where we are checking whether current attempt is brute force or not and also maintain the count of unsuccessful attempt. And once the brutefroceattack is been identified the LoginDisabled is been set to true for that usermodel.
Acceleratorstorefrontcommons-spring.xml is the file where it is configured that after how many unsuccessful attempts the userid will be locked. By default it is mentioned as 5 but we can also changes as per requirement.
Customization of generic message:
In order to achieve this, there is a class AcceleratorAuthenticationProvider there in our custom folder which extend AbstractAcceleratorAuthenticationProvider class .And in this AcceleratorAuthenticationProvider class we are going to override the authenticate method.
Inside the authenticate method we can set an attribute in the sessionservice once the bruteforceattack is been identified.
And we can get the same session attribute in the doLogin method of LoginPageController and if there is some value is available in this attribute then we can globally add this message which is going to display in the storefront.
It will give better UI experience to the end user. It will also help user to identify that his account has been locked ,so the user can proceed for resolving the account locked issue instead of investing time in login into account which is already been locked .
I hope this blog post will help you to get the idea about brute force login and how to provide the custom error messages for such failed login attempt.
Do you require any other information, which should be added to the blog as well? Let us know in the comment under this blog post. Please like and share feedback or thoughts in comments section.