Implement login attempt tracking and rate limiting to prevent
brute-force attacks:
- Add LoginAttemptService to track failed attempts per username
with configurable max attempts (5), lockout duration (30min),
and attempt window (15min)
- Add LoginAttemptFilter to block requests before authentication
when account is locked, returns HTTP 429
- Add AuthenticationFailureListener to record failed attempts
- Add AuthenticationSuccessListener to clear attempts on success
- Update RESTAuthenticationFailureHandler to return generic
'Invalid credentials' message to prevent username enumeration
- Update SsoSecurityConfig to add filter before authentication
- Add security.login.* configuration properties to application.yml
The implementation uses in-memory tracking with automatic cleanup
after lockout period expires.
