Spring MVC not to return HTTP response -

it possible user tries send malicious data web application. firewall, block request , not returning anything.

is possible spring mvc same @ application level, since return malicious attempt waste of resource, if ddos attempt?

thanks

firewalls block requests based on rules (or policies).

example: if ip sends more 10 requests per second, block subsequent requests 2 hours.

can using spring mvc?

well, can program it: yes, can. (although send empty response, not block connection firewall would.) you'd have think rules , implement them.

but not simple setting firewall, , not application's job do.

for example above, create hashmap store every ip requested controller; , counter. if counter bigger 10, you'd move ip hashmap (say, blockedipsmap) 2 hours. every request made controller should check if ip not in blockedipsmap before sending response.

again: possible? yes. should it? if need so (if being attacked lot, instance), and can't manage using firewall (a software meant this).

sample code:

the way application servers (and servlets) built, must return response. mean: can't not send response. (servlets , application server built robust, sending no response failure in eyes.)

as said, firewall can block connections, though, , never send response when wants.

anyway, since have send response, can send empty one.

using spring mvc, sending empty response seems:

@requestmapping(value = "/path") @responsebody public string emptyresponse()  {     if (shouldiblock()) {         return "";     }     else {         // stuff usual     } }

the code above return http 200-ok response content-length = 0.

your best bet, though, using servlet filter go "in between" every request , every controller.

here's code started (it self-explanatory):

package ipfilter;  import java.io.ioexception;  import javax.servlet.*; import javax.servlet.http.*;  public class blockipfilter implements filter {      public void init(filterconfig config) throws servletexception { }      public void destroy() { }      public void dofilter(servletrequest request, servletresponse response, filterchain filterchain) throws ioexception, servletexception {         string userip = request.getremoteaddr();         if (isipallowed(userip)) {             filterchain.dofilter(request, response); // go on         } else {             httpservletresponse httpresponse = null;             if (response instanceof httpservletresponse) {                 httpresponse = (httpservletresponse) response;             }             // return 403-forbidden error             httpresponse.senderror(httpservletresponse.sc_forbidden, "error message (may wanna leave empty)");             /* or can comment line above , empty              * response 200-ok sent, giving no clue user blocked              */         }     }      public boolean isipallowed(string ip) {         // maybe add hashmap , other checking         return false;     } }

also add top of web.xml:

<filter>     <filter-name>blockipfilter</filter-name>     <filter-class>ipfilter.blockipfilter</filter-class> </filter>  <filter-mapping>     <filter-name>blockipfilter</filter-name>     <url-pattern>/*</url-pattern> </filter-mapping>

Search This Blog

Brande

Spring MVC not to return HTTP response -

sample code:

Comments

Post a Comment

Popular posts from this blog

linux - Does gcc have any options to add version info in ELF binary file? -

javascript - Clean way to programmatically use CSS transitions from JS? -

android - send complex objects as post php java -