For a new project at Good Start Genetics we decided to use Grails 3 to build a RESTful JSON API. As with all of the Grails applications and services we have built we installed the Spring Security Core plugin. Given that this was an API only, we also integrated the Spring Security REST extension. This latter plugin provides a set of tools to secure our endpoints via tokens. When implementing the REST security plugin we opted to use Redis for our token store. Redis was selected for two reasons:
- Auth requests would not need to make a request to the DB
- Tokens can easily be timed out after a configured period of inactivity
Getting that all setup was simple. Now came the inevitable requirement to have user’s accounts locked out after a number of unsuccessful login attempts. Despite being a requirement of every application I have working on, its not a use case covered explicitly by the Grails Spring Security plugins. In the past I implemented this requirement by adding fields to my User object to track the number of failed attempts and then updating the locked boolean on the User object when the max number of attempts was breached. This worked fine and I considered this approach again. However, given I already had Redis support integrated into my application I figured this was a perfect use case.
The Implementation
First I needed a service that would be called after a failed attempt and increment the number of attempts in Redis for the given user.
Second I needed to listen to the failed login events and make calls out to the above service when the failed login event corresponded with a known user.
And with just those two files, I enabled user locking! For a working sample application please check out my sample repo: