It's not that hard to roll your own BFD. As in Spring Security 3.0 you can simply add Application listeners (thanks Stephen Cfor pointing me in the correct direction).

推出自己的 BFD 并不难。在 Spring Security 3.0 中，您可以简单地添加应用程序侦听器（感谢Stephen C为我指明了正确的方向）。

This listener will be called when authentication failures appear:

出现身份验证失败时将调用此侦听器：

@Component
public class AuthenticationFailureListener
    implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {

  @Autowired
  private UserDao userDao;

  public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent ev) {

    String username = ev.getAuthentication().getName();

    User user = userDao.find("name", username);
    if (user != null) { // only for existing users
            user.reportLoginFailure();
            userDao.commit();
    }
  }
}

Each authentication failure will now inform the user. The user for example increments an authentication failure counter and deactivates it self when a certain threshold is reached.

现在，每次身份验证失败都会通知用户。例如，用户增加认证失败计数器并在达到某个阈值时自行停用。

When a user is correctly authenticated the below listener will inform the user (who for example can reset it's authentication failure counters):

当用户通过正确身份验证时，以下侦听器将通知用户（例如，谁可以重置其身份验证失败计数器）：

@Component
public class AuthenticationSuccessEventListener
    implements ApplicationListener<AuthenticationSuccessEvent>{

  @Autowired
  private UserDao userDao;

  public void onApplicationEvent(AuthenticationSuccessEvent event) {

    String username = event.getAuthentication().getName();

    User user = userDao.find("name", username);
    user.reportLoginOK();
    userDao.commit();
  }
}

The above listeners will not need additional XML configuration and are picked up automatically by Spring (if they are in Spring component-scan package).

上述侦听器不需要额外的 XML 配置，并且由 Spring 自动拾取（如果它们在 Spring component-scan 包中）。

Depending on you transaction configuration this solution could miss some failed login counts if they happen near simultaneously. This can be prevented if you update the counter with a single UPDATE query instead of loading the user and then save the changes.

根据您的事务配置，如果它们几乎同时发生，此解决方案可能会错过一些失败的登录计数。如果您使用单个 UPDATE 查询更新计数器而不是加载用户然后保存更改，则可以防止这种情况。

Above listeners can also be extended to detect other BDF patterns, for example a single IP that is doing a scan on lot's of (random) user names.

上述侦听器还可以扩展到检测其他 BDF 模式，例如对大量（随机）用户名进行扫描的单个 IP。

You should also know that locking an attacked account means making your service DOSable.

您还应该知道，锁定受攻击的帐户意味着使您的服务可以进行 DOS 攻击。

The well known example is: you provide an auction service, Bob wants to buy some position and attacks Alice's account, so instead of making bets Alice tries to restore her account while Bob gets the position. Even temporary (5 seconds) locks may prevent Alice from using the service as she needs.

众所周知的例子是：您提供拍卖服务，Bob 想要购买一些头寸并攻击 Alice 的账户，因此与其下注，Alice 试图在 Bob 获得头寸的同时恢复她的账户。即使是临时（5 秒）锁定也可能阻止 Alice 按需使用该服务。

The normal way to do detect brute force attacks (password guessing) is to have the authentication scheme log failed login attempts, and have a separate application attempt to detect suspicious patterns in the log file. I guess it would be possible to close the loop and have the detector take action to lock accounts under attack, etc.

检测蛮力攻击（密码猜测）的正常方法是让身份验证方案记录失败的登录尝试，并让单独的应用程序尝试检测日志文件中的可疑模式。我想可以关闭循环并让检测器采取行动锁定受到攻击的帐户等。

There is an example on this page.

此页面上有一个示例。