Implement login attempt tracking and rate limiting to prevent
brute-force attacks:

- Add LoginAttemptService to track failed attempts per username
  with configurable max attempts (5), lockout duration (30min),
  and attempt window (15min)
- Add LoginAttemptFilter to block requests before authentication
  when account is locked, returns HTTP 429
- Add AuthenticationFailureListener to record failed attempts
- Add AuthenticationSuccessListener to clear attempts on success
- Update RESTAuthenticationFailureHandler to return generic
  'Invalid credentials' message to prevent username enumeration
- Update SsoSecurityConfig to add filter before authentication
- Add security.login.* configuration properties to application.yml

The implementation uses in-memory tracking with automatic cleanup
after lockout period expires.