org.eclipse.jetty.servlets
类 DoSFilter

java.lang.Object
  org.eclipse.jetty.servlets.DoSFilter

所有已实现的接口：

Filter

直接已知子类：

CloseableDoSFilter

public class DoSFilter
extends Object
implements Filter

Denial of Service filter

This filter is useful for limiting exposure to abuse from request flooding, whether malicious, or as a result of a misconfigured client.

The filter keeps track of the number of requests from a connection per second. If a limit is exceeded, the request is either rejected, delayed, or throttled.

When a request is throttled, it is placed in a priority queue. Priority is given first to authenticated users and users with an HttpSession, then connections which can be identified by their IP addresses. Connections with no way to identify them are given lowest priority.

The extractUserId(ServletRequest request) function should be implemented, in order to uniquely identify authenticated users.

The following init parameters control the behavior of the filter:

maxRequestsPerSec

the maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled.

delayMs

is the delay given to all requests over the rate limit, before they are considered at all. -1 means just reject request, 0 means no delay, otherwise it is the delay.

maxWaitMs

how long to blocking wait for the throttle semaphore.

throttledRequests

is the number of requests over the rate limit able to be considered at once.

throttleMs

how long to async wait for semaphore.

maxRequestMs

how long to allow this request to run.

maxIdleTrackerMs

how long to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it

insertHeaders

if true , insert the DoSFilter headers into the response. Defaults to true.

trackSessions

if true, usage rate is tracked by session if a session exists. Defaults to true.

remotePort

if true and session tracking is not used, then rate is tracked by IP+port (effectively connection). Defaults to false.

ipWhitelist

a comma-separated list of IP addresses that will not be rate limited

managedAttr

if set to true, then this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows context external mechanism (eg JMX via ContextHandler.MANAGED_ATTRIBUTES) to manage the configuration of the filter.

构造方法摘要

DoSFilter()

方法摘要

boolean	addWhitelistAddress(String address)
protected boolean	checkWhitelist(List<String> whitelist, String candidate)
void	clearWhitelist()
protected void	closeConnection(HttpServletRequest request, HttpServletResponse response, Thread thread) Takes drastic measures to return this response and stop this thread.
void	destroy() Called by the web container to indicate to a filter that it is being taken out of service.
protected void	doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
void	doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
protected void	doFilterChain(FilterChain chain, HttpServletRequest request, HttpServletResponse response)
protected String	extractUserId(ServletRequest request) Returns the user id, used to track this connection.
long	getDelayMs() Get delay (in milliseconds) that is applied to all requests over the rate limit, before they are considered at all.
long	getMaxIdleTrackerMs() Get maximum amount of time (in milliseconds) to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it.
protected int	getMaxPriority()
long	getMaxRequestMs() Get maximum amount of time (in milliseconds) to allow the request to process.
int	getMaxRequestsPerSec() Get maximum number of requests from a connection per second.
long	getMaxWaitMs() Get maximum amount of time (in milliseconds) the filter will blocking wait for the throttle semaphore.
protected int	getPriority(HttpServletRequest request, org.eclipse.jetty.servlets.DoSFilter.RateTracker tracker) Get priority for this request, based on user type
org.eclipse.jetty.servlets.DoSFilter.RateTracker	getRateTracker(ServletRequest request) Return a request rate tracker associated with this connection; keeps track of this connection's request rate.
int	getThrottledRequests() Get number of requests over the rate limit able to be considered at once.
long	getThrottleMs() Get amount of time (in milliseconds) to async wait for semaphore.
String	getWhitelist() Get a list of IP addresses that will not be rate limited.
void	init(FilterConfig filterConfig) Called by the web container to indicate to a filter that it is being placed into service.
boolean	isEnabled()
boolean	isInsertHeaders() Check flag to insert the DoSFilter headers into the response.
boolean	isRemotePort() Get flag to have usage rate tracked by IP+port (effectively connection) if session tracking is not used.
boolean	isTrackSessions() Get flag to have usage rate tracked by session if a session exists.
boolean	removeWhitelistAddress(String address)
void	setDelayMs(long value) Set delay (in milliseconds) that is applied to all requests over the rate limit, before they are considered at all.
void	setEnabled(boolean enabled)
void	setInsertHeaders(boolean value) Set flag to insert the DoSFilter headers into the response.
void	setMaxIdleTrackerMs(long value) Set maximum amount of time (in milliseconds) to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it.
void	setMaxRequestMs(long value) Set maximum amount of time (in milliseconds) to allow the request to process.
void	setMaxRequestsPerSec(int value) Get maximum number of requests from a connection per second.
void	setMaxWaitMs(long value) Set maximum amount of time (in milliseconds) the filter will blocking wait for the throttle semaphore.
void	setRemotePort(boolean value) Set flag to have usage rate tracked by IP+port (effectively connection) if session tracking is not used.
void	setThrottledRequests(int value) Set number of requests over the rate limit able to be considered at once.
void	setThrottleMs(long value) Set amount of time (in milliseconds) to async wait for semaphore.
void	setTrackSessions(boolean value) Set flag to have usage rate tracked by session if a session exists.
void	setWhitelist(String value) Set a list of IP addresses that will not be rate limited.
protected boolean	subnetMatch(String subnetAddress, String address)

从类 java.lang.Object 继承的方法

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

构造方法详细信息

DoSFilter

public DoSFilter()

方法详细信息

init

public void init(FilterConfig filterConfig)

从接口 Filter 复制的描述

Called by the web container to indicate to a filter that it is being placed into service.

The servlet container calls the init method exactly once after instantiating the filter. The init method must complete successfully before the filter is asked to do any filtering work.

The web container cannot place the filter into service if the init method either

1. Throws a ServletException
2. Does not return within a time period defined by the web container

指定者：

接口 Filter 中的 init

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain filterChain)
              throws IOException,
                     ServletException

从接口 Filter 复制的描述

The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

A typical implementation of this method would follow the following pattern:

1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. • Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
   • or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.

指定者：

接口 Filter 中的 doFilter

抛出：

IOException

ServletException

doFilter

protected void doFilter(HttpServletRequest request,
                        HttpServletResponse response,
                        FilterChain filterChain)
                 throws IOException,
                        ServletException

抛出：

IOException

ServletException

doFilterChain

protected void doFilterChain(FilterChain chain,
                             HttpServletRequest request,
                             HttpServletResponse response)
                      throws IOException,
                             ServletException

抛出：

IOException

ServletException

closeConnection

protected void closeConnection(HttpServletRequest request,
                               HttpServletResponse response,
                               Thread thread)

Takes drastic measures to return this response and stop this thread. Due to the way the connection is interrupted, may return mixed up headers.

参数：

request - current request

response - current response, which must be stopped

thread - the handling thread

getPriority

protected int getPriority(HttpServletRequest request,
                          org.eclipse.jetty.servlets.DoSFilter.RateTracker tracker)

Get priority for this request, based on user type

参数：

request - the current request

tracker - the rate tracker for this request

返回：

the priority for this request

getMaxPriority

protected int getMaxPriority()

返回：

the maximum priority that we can assign to a request

getRateTracker

public org.eclipse.jetty.servlets.DoSFilter.RateTracker getRateTracker(ServletRequest request)

Return a request rate tracker associated with this connection; keeps track of this connection's request rate. If this is not the first request from this connection, return the existing object with the stored stats. If it is the first request, then create a new request tracker.

Assumes that each connection has an identifying characteristic, and goes through them in order, taking the first that matches: user id (logged in), session id, client IP address. Unidentifiable connections are lumped into one.

When a session expires, its rate tracker is automatically deleted.

参数：

request - the current request

返回：

the request rate tracker for the current connection

checkWhitelist

protected boolean checkWhitelist(List<String> whitelist,
                                 String candidate)

subnetMatch

protected boolean subnetMatch(String subnetAddress,
                              String address)

destroy

public void destroy()

从接口 Filter 复制的描述

Called by the web container to indicate to a filter that it is being taken out of service.

This method is only called once all threads within the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the doFilter method again on this instance of the filter.

This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make sure that any persistent state is synchronized with the filter's current state in memory.

指定者：

接口 Filter 中的 destroy

extractUserId

protected String extractUserId(ServletRequest request)

Returns the user id, used to track this connection. This SHOULD be overridden by subclasses.

参数：

request - the current request

返回：

a unique user id, if logged in; otherwise null.

getMaxRequestsPerSec

public int getMaxRequestsPerSec()

Get maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled.

返回：

maximum number of requests

setMaxRequestsPerSec

public void setMaxRequestsPerSec(int value)

Get maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled.

参数：

value - maximum number of requests

getDelayMs

public long getDelayMs()

Get delay (in milliseconds) that is applied to all requests over the rate limit, before they are considered at all.

setDelayMs

public void setDelayMs(long value)

Set delay (in milliseconds) that is applied to all requests over the rate limit, before they are considered at all.

参数：

value - delay (in milliseconds), 0 - no delay, -1 - reject request

getMaxWaitMs

public long getMaxWaitMs()

Get maximum amount of time (in milliseconds) the filter will blocking wait for the throttle semaphore.

返回：

maximum wait time

setMaxWaitMs

public void setMaxWaitMs(long value)

Set maximum amount of time (in milliseconds) the filter will blocking wait for the throttle semaphore.

参数：

value - maximum wait time

getThrottledRequests

public int getThrottledRequests()

Get number of requests over the rate limit able to be considered at once.

返回：

number of requests

setThrottledRequests

public void setThrottledRequests(int value)

Set number of requests over the rate limit able to be considered at once.

参数：

value - number of requests

getThrottleMs

public long getThrottleMs()

Get amount of time (in milliseconds) to async wait for semaphore.

返回：

wait time

setThrottleMs

public void setThrottleMs(long value)

Set amount of time (in milliseconds) to async wait for semaphore.

参数：

value - wait time

getMaxRequestMs

public long getMaxRequestMs()

Get maximum amount of time (in milliseconds) to allow the request to process.

返回：

maximum processing time

setMaxRequestMs

public void setMaxRequestMs(long value)

Set maximum amount of time (in milliseconds) to allow the request to process.

参数：

value - maximum processing time

getMaxIdleTrackerMs

public long getMaxIdleTrackerMs()

Get maximum amount of time (in milliseconds) to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it.

返回：

maximum tracking time

setMaxIdleTrackerMs

public void setMaxIdleTrackerMs(long value)

Set maximum amount of time (in milliseconds) to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it.

参数：

value - maximum tracking time

isInsertHeaders

public boolean isInsertHeaders()

Check flag to insert the DoSFilter headers into the response.

返回：

value of the flag

setInsertHeaders

public void setInsertHeaders(boolean value)

Set flag to insert the DoSFilter headers into the response.

参数：

value - value of the flag

isTrackSessions

public boolean isTrackSessions()

Get flag to have usage rate tracked by session if a session exists.

返回：

value of the flag

setTrackSessions

public void setTrackSessions(boolean value)

Set flag to have usage rate tracked by session if a session exists.

参数：

value - value of the flag

isRemotePort

public boolean isRemotePort()

Get flag to have usage rate tracked by IP+port (effectively connection) if session tracking is not used.

返回：

value of the flag

setRemotePort

public void setRemotePort(boolean value)

Set flag to have usage rate tracked by IP+port (effectively connection) if session tracking is not used.

参数：

value - value of the flag

isEnabled

public boolean isEnabled()

返回：

whether this filter is enabled

setEnabled

public void setEnabled(boolean enabled)

参数：

enabled - whether this filter is enabled

getWhitelist

public String getWhitelist()

Get a list of IP addresses that will not be rate limited.

返回：

comma-separated whitelist

setWhitelist

public void setWhitelist(String value)

Set a list of IP addresses that will not be rate limited.

参数：

value - comma-separated whitelist

clearWhitelist

public void clearWhitelist()

addWhitelistAddress

public boolean addWhitelistAddress(String address)

removeWhitelistAddress

public boolean removeWhitelistAddress(String address)