Add Intrusion Detection for Java Web Applications

I. Introduction

In Java Web applications, especially website development, we sometimes need to add an intrusion detection program for applications to prevent malicious refreshing, prevent Unauthorized users from repeatedly sending data to Web applications. Of course, intrusion detection can be implemented in many ways, including software, hardware firewalls, and many intrusion detection policies. Here we mainly introduce Java Web applications to implement simple intrusion detection and defense through software.

The implementation principle of this method is very simple, that is, the user records the information of each user when accessing the Web system, then compares it, and refreshes the page 10 times in one second according to the set policy, for example) determines whether a user is maliciously refreshed.

Our intrusion detection program should be placed before the execution of all Java Web programs, that is, if you find that the user is maliciously refreshed, it will not continue to execute other content in Java Web, otherwise it will lose its meaning. This requires the intrusion detection program to be put into a Java Web application in the form of a plug-in, so that every time a user accesses the Java Web, the intrusion detection program must report it once, you can only pass the rules.

Java Web applications are roughly divided into two types: one is pure JSP (+ Java Bean), and the other is based on frameworks such as Struts and EasyJWeb. The first method of Java Web can be implemented through the Filter interface in Java Servlet, that is, to implement a Filter interface, insert the intrusion detection program in its doFilter method, and then web. simple configuration in xml. In Framework-based Web applications, because all applications have an entry point, you can directly Insert the intrusion detection program into the framework entry engine so that the framework itself supports the intrusion detection function. Of course, you can also implement the Filter interface.

Simple intrusion detection programs have been installed in the EasyJWeb framework. Therefore, here we take the EasyJWeb framework as an example to introduce the specific implementation methods and source code, complete code can be found in EasyJWeb source code.

In EasyJWeb-based Java Web applications, by default, you only need to refresh the page too many times consecutively, the following error will pop up:

EasyJWeb framework friendly reminder! :-):

You have refreshed the page too quickly. Please wait 60 seconds before refreshing the page!

Ii. UserConnect. java

This class is a simple Java Bean that mainly represents user information, including the user name, IP address, first access time, Last Logon Time, number of logins, and user status. All

The Code is as follows:

Package com. easyjf. web;

Import java. util. Date;
/**
*
*

Title: user authentication information

*

Description: records user logon information and determines User Logon conditions.

*

Copyright: Copyright (c) 2006

*

Company: www.easyjf.com

* @ Author Cai shiyou
* @ Version 1.0
*/
Public class UserConnect {
Private String userName;
Private String ip;
Private Date firstFailureTime;
Private Date lastLoginTime;
Private int failureTimes; // number of user logon failures
Private int status = 0; // user status 0 indicates normal,-1 indicates locked
Public int getFailureTimes (){
Return failureTimes;
}
Public void setFailureTimes (int failureTimes ){
This. failureTimes = failureTimes;
}
Public Date getFirstFailureTime (){
Return firstFailureTime;
}

Public void setFirstFailureTime (Date firstFailureTime ){
This. firstFailureTime = firstFailureTime;
}

Public String getIp (){
Return ip;
}

Public void setIp (String ip ){
This. ip = ip;
}

Public Date getLastLoginTime (){
Return lastLoginTime;
}

Public void setLastLoginTime (Date lastLoginTime ){
This. lastLoginTime = lastLoginTime;
}

Public String getUserName (){
Return userName;
}

Public void setUserName (String userName ){
This. userName = userName;
}

Public int getStatus (){
Return status;
}

Public void setStatus (int status ){
This. status = status;
}

}

Iii. Monitoring thread UserConnectManage. java class

This is the core part of intrusion detection. It mainly implements features such as intrusion detection, recording, determining user information, and refreshing online users, and provides call interfaces for other applications to use this component.

Package com. easyjf. web;

Import java. util. Date;
Import java. util. HashMap;
Import java. util. HashSet;
Import java. util. Iterator;
Import java. util. Map;
Import java. util. Set;

Import org. apache. log4j. Logger;
/**
*
*

Title: User Intrusion Detection Information

*

Description: used to determine the user's refresh check. The default value is 10 consecutive connections within 10 seconds.

*

Copyright: Copyright (c) 2006

*

Company: www.easyjf.com

* @ Author Cai shiyou
* @ Version 1.0
*/
Public class UserConnectManage {
Private static final Logger logger = (Logger) Logger. getLogger (UserConnectManage. class. getName ());
Private static int maxFailureTimes = 10; // maximum number of Logon failures
Private static long maxFailureInterval = 10000; // in milliseconds, the maximum number of logins is reached and within this time range
Private static long waitInterval = 60000; // wait time for accepting connections after failure. The default value is 1 minute.
Private static int maxOnlineUser = 200; // maximum number of simultaneous online users
Private final static Map users = new HashMap (); // use ip + userName as the key to store user login information UserLoginAuth
Private static Thread checkThread = null;
Private static class CheckTimeOut implements Runnable {
Private Thread parentThread;
Public CheckTimeOut (Thread parentThread)
{
This. parentThread = parentThread;
Synchronized (this ){
If (checkThread = null ){
CheckThread = new Thread (this );
// System. out. println ("Create a New thread! ");
CheckThread. start ();
}
}
}
Public void run (){
While (true)
{
If (parentThread. isAlive ()){
Try {
Thread. sleep (2000 );
Int I = 0;
If (users. size ()> maxOnlineUser) // clear when the maximum number of users reaches
{
Synchronized (users) {// perform the delete operation
Iterator it = users. keySet (). iterator ();
Set set = new HashSet ();
Date now = new Date ();
While (it. hasNext ())
{
Object key = it. next ();
UserConnect user = (UserConnect) users. get (key );
If (now. getTime ()-user. getFirstFailureTime (). getTime ()> maxFailureInterval) // delete a user with a deletion timeout
{
Set. add (key );
Logger.info ("deleting a timeout connection" + I );
I ++;
}
}
If (I <5) // if less than five records are deleted, the 1/2 online records are forcibly deleted to ensure memory performance at the cost of performance.
{
Int num = maxOnlineUser/2;
It = users. keySet (). iterator ();
While (it. hasNext () & I {
Set. add (it. next ());
Logger.info ("deleting a redundant connection" + I );
I ++;
}
}
Users. keySet (). removeAll (set );
}
}
}
Catch (Exception e)
{
E. printStackTrace ();
}
}
Else
{
Break;
}
}
Logger.info ("the monitoring program is running! ");
}
}
// Use checkLoginValidate to determine whether a logon connection is valid. If the connection is valid, the connection is resumed. If the connection is invalid, the connection is executed.
Public static boolean checkLoginValidate (String ip, String userName) // only check the number of authentication failures
{
Boolean ret = true;
Date now = new Date ();
String key = ip + ":" + userName;
UserConnect auth = (UserConnect) users. get (key );
If (auth = null) // Add the user's current access information to the users container
{
Auth = new UserConnect ();
Auth. setIp (ip );
Auth. setUserName (userName );
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Users. put (key, auth );
If (checkThread = null) new CheckTimeOut (Thread. currentThread ());
}
Else
{
If (auth. getFailureTimes ()> maxFailureTimes)
{
// If the time interval is specified, information about user connection rejection is returned.
If (now. getTime ()-auth. getFirstFailureTime (). getTime ()) {
Ret = false;
Auth. setStatus (-1 );
}
Else if (auth. getStatus () =-1 & (now. getTime ()-auth. getFirstFailureTime (). getTime () <(maxFailureInterval + waitInterval) // reset the counter
{
Ret = false;
}
Else
{
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Auth. setStatus (0 );
}
}
// The number of logins increases by 1
Auth. setFailureTimes (auth. getFailureTimes () + 1 );
}
// System. out. println (key + ":" + auth. getFailureTimes () + ":" + ret + ":" + (now. getTime ()-auth. getFirstFailureTime (). getTime ()));
Return ret;
}

Public static void reset (String ip, String userName) // reset user information
{
Date now = new Date ();
String key = ip + ":" + userName;
UserConnect auth = (UserConnect) users. get (key );
If (auth = null) // Add the user's current access information to the users container
{
Auth = new UserConnect ();
Auth. setIp (ip );
Auth. setUserName (userName );
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Users. put (key, auth );
}
Else
{
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
}
}
Public static void remove (String ip, String userName) // delete a user's record in the container
{
String key = ip + ":" + userName;
Users. remove (key );
}
Public static void clear () // clear the content in the container
{
If (! Users. isEmpty () users. clear ();
}
Public static long getMaxFailureInterval (){
Return maxFailureInterval;
}

Public static void setMaxFailureInterval (long maxFailureInterval ){
UserConnectManage. maxFailureInterval = maxFailureInterval;
}

Public static int getMaxFailureTimes (){
Return maxFailureTimes;
}

Public static void setMaxFailureTimes (int maxFailureTimes ){
UserConnectManage. maxFailureTimes = maxFailureTimes;
}

Public static int getMaxOnlineUser (){
Return maxOnlineUser;
}

Public static void setMaxOnlineUser (int maxOnlineUser ){
UserConnectManage. maxOnlineUser = maxOnlineUser;
}

Public static long getWaitInterval (){
Return waitInterval;
}

Public static void setWaitInterval (long waitInterval ){
UserConnectManage. waitInterval = waitInterval;
}

Iv. Call Interfaces

You can directly use the checkLoginValidate method in the UserConnectManage class where you need to perform intrusion detection and judgment. For example, the Code for calling UserConnectManage in the core Servletcom. easyjf. web. ActionServlet of EasyJWeb:

If (! UserConnectManage. checkLoginValidate (request. getRemoteAddr (), "guest "))
{
Info (request, response, new Exception ("You have refreshed the page too fast. Please wait" + UserConnectManage. getWaitInterval ()/1000 + "seconds before refreshing the page! "));
Return;
}

V. Summary

Of course, the method provided here is just a simple implementation example. Because the above user information is directly stored in the memory, if the code is occupied when the number of concurrent users is large, you can consider introducing a database to record user access information. Of course, the execution efficiency must be reduced. In the above implementation, the intrusion detection and judgment policy only includes two elements: user access times and time interval. You can also add other detection elements based on your implementation.

1. New-generation Java Web development framework JSF interview recording
2. Who is the next king of the Java Web layer?
3. Java Web layer-3 architecture configuration