Esempio n. 1
0
  private boolean hasToManySession(HttpServletRequest request) {

    String ip = RemoteInfoUtil.getClientIpAddr(request);
    List<Date> ipSessionDates = getSessionIpDates(ip);

    if (ipSessionDates != null && !ipSessionDates.isEmpty()) {
      long currentTime = System.currentTimeMillis();
      long past10s = currentTime - (10 * 100);
      long past1min = currentTime - (60 * 100);
      long past30min = currentTime - (30 * 60 * 100);
      int count10s = 0;
      int count1min = 0;
      int count30min = 0;
      for (Date sessionDate : ipSessionDates) {
        long tsession = sessionDate.getTime();
        if (tsession >= past10s) {
          count10s++;
        } else if (tsession >= past1min) {
          count1min++;
        } else if (tsession >= past30min) {
          count30min++;
        }
      }
      count1min += count10s;
      count30min += count1min;
      return (count10s >= SESSION_IP_THRESHOLD_10S)
          || (count1min >= SESSION_IP_THRESHOLD_1MIN)
          || (count30min >= SESSION_IP_THRESHOLD_30MIN);
    }

    return false;
  }
Esempio n. 2
0
  @Override
  protected void doFilterInternal(
      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {

    long timer = System.currentTimeMillis();
    SessionLog sessionLog = null;
    boolean ok = true;

    if (request.getSession(false) == null
        || request.getSession().getAttribute(SessionLog.class.getName()) == null) {
      if (hasToManySession(request)) {
        ok = false;
        handleTooManySession(request);
      } else {
        // create new session if needed
        HttpSession session = request.getSession();
        sessionLog = createNewSessionLog(request);
        session.setAttribute(SessionLog.class.getName(), sessionLog);
      }
    } else {
      sessionLog = (SessionLog) request.getSession().getAttribute(SessionLog.class.getName());
      if (!sessionLog.getIp().equalsIgnoreCase(RemoteInfoUtil.getClientIpAddr(request))) {
        request.getSession().invalidate();
        response.sendError(HttpServletResponse.SC_CONFLICT);
      } else {
        ok = false;
        populateSessionLog(request, sessionLog);
      }
    }

    if (ok) {
      if (sessionLog != null
          && isLoginAccess(request)
          && isLoginThresholdEnable(request, sessionLog)) {
        handleTooManyLoginAttempt(request);
      } else {
        filterChain.doFilter(request, response);
      }
      timer = System.currentTimeMillis() - timer;
      if (sessionLog != null) {
        sessionLog.addServerTime(timer);
      }
    }
  }