Intrusion detection and simple implementation in Java Web

Web in Java Web applications, especially web development, we sometimes need to add an intrusion detection program to the application to prevent the malicious refreshing of the function, to prevent illegal users to repeatedly send data to the Web application. Of course, intrusion detection can be implemented in many ways, including software, hardware firewall, intrusion detection strategy is also a lot. Here we mainly introduce the Java Web application in the way of software to achieve simple intrusion detection and defense.

The implementation principle of this method is very simple, that is, when the user accesses the web system, it records each user's information, then controls it, and then determines whether the user is a malicious refresh according to the set strategy (for example, 10 times refresh page 1 seconds).

Our intrusion detection program should be placed before the execution of all Java Web programs, and where that users will not continue to execute other parts of the Java Web without a malicious refresh, otherwise it would be meaningless. This requires a plug-in to the intrusion detection program into the Java Web application, so that every time users visit the Java Web, the first to the intrusion detection program to report to the rules to release.

There are roughly two types of Java Web applications, a pure JSP (+java Bean) approach, one based on frames (such as struts, easyjweb, and so on). The first approach to the Java Web can be implemented through the filter interface in the Java servlet, which implements a filter interface, inserts an intrusion detection program into its Dofilter method, and then web.xml it in a simple configuration. In a framework-based Web application, because all applications have a portal, intrusion detection programs can be inserted directly into the framework entry engine, enabling the framework itself to support intrusion detection capabilities. Of course, it can also be implemented by implementing the filter interface.

In the Easyjweb framework, has been placed into a simple intrusion detection program, so here we take the Easyjweb framework as an example, introduce the specific implementation methods and source code, the complete codes can be found in the Easyjweb source.

In Easyjweb Java Web applications (such as http://www.easyjf.com/bbs/), by default you will be prompted with the following error if you refresh the page too often:

Easyjweb Frame Friendship Tips!:-):
You refresh the page too quickly, please wait 60 seconds before refreshing the page!
Please inquire about http://www.easyjf.com


Second, the user accesses the information record Userconnect.java class

This class is a simple Java Bean that mainly represents the user's information, including user name, IP, first access time, last logon time, logon times, user status, and so on. All

The code is as follows:

Package com.easyjf.web;

Import Java.util.Date;
/**
*
*

Title: User authentication information


*
Description: Log User login information to determine user login status


*
Copyright:copyright (c) 2006


*
Company:www.easyjf.com


* @author Cai Shiyu
* @version 1.0
*/
public class Userconnect {
Private String UserName;
Private String IP;
Private Date Firstfailuretime;
Private Date Lastlogintime;
private int failuretimes;//Number of user logon failures
private int status=0;//user status 0 for normal,-1 for lock
public int getfailuretimes () {
return failuretimes;
}
public void setfailuretimes (int failuretimes) {
This.failuretimes = Failuretimes;
}
Public Date Getfirstfailuretime () {
return firstfailuretime;
}

public void Setfirstfailuretime (Date firstfailuretime) {
This.firstfailuretime = Firstfailuretime;
}

Public String GetIP () {
return IP;
}

public void setIp (String IP) {
This.ip = IP;
}

Public Date Getlastlogintime () {
return lastlogintime;
}

public void Setlastlogintime (Date lastlogintime) {
This.lastlogintime = Lastlogintime;
}

Public String GetUserName () {
return userName;
}

public void Setusername (String userName) {
This.username = UserName;
}

public int GetStatus () {
return status;
}

public void setstatus (int status) {
This.status = status;
}

}
Third, monitor the thread Userconnectmanage.java class

This is the core of intrusion detection, the main implementation of the specific intrusion detection, record, judge the user information, online user refresh and other functions, and provide other applications to use this component of the call interface.

Package com.easyjf.web;

Import Java.util.Date;
Import Java.util.HashMap;
Import Java.util.HashSet;
Import Java.util.Iterator;
Import Java.util.Map;
Import Java.util.Set;

Import Org.apache.log4j.Logger;
/**
*
*

Title: User Intrusion detection information


*
Description: Used to determine user refresh check, the default is 10 seconds continuous connection 10 times timeout


*
Copyright:copyright (c) 2006


*
Company:www.easyjf.com


* @author Cai Shiyu
* @version 1.0
*/
public class Userconnectmanage {
private static final Logger Logger = (Logger) Logger.getlogger (UserConnectManage.class.getName ());
private static int maxfailuretimes=10;//maximum logon failure number
private static long maxfailureinterval=10000;//millisecond, maximum logon times and within this time range
Private static long waitinterval=60000;//wait time to accept connection after failure, default 1 minutes
Maximum number of private static int maxonlineuser=200;//simultaneous online
Private final static Map users=new HashMap ()//Use Ip+username for key to store user login information Userloginauth
private static Thread Checkthread=null;
private static class Checktimeout implements runnable{
Private Thread Parentthread;
Public Checktimeout (Thread parentthread)
{
This.parentthread=parentthread;
Synchronized (this) {
if (checkthread==null) {
checkthread= New Thread (this);
System.out.println ("Create a new thread!") ");
Checkthread.start ();
}
}
}
public void Run () {
while (true)
{
if (parentthread.isalive ()) {
try{
Thread.Sleep (2000);
int i=0;
if (Users.size () >maxonlineuser)//clear when maximum number of users is reached
{
Synchronized (users) {//delete operation
Iterator It=users.keyset (). iterator ();
Set set=new hashset ();
Date Now=new date ();
while (It.hasnext ())
{
Object Key=it.next ();
Userconnect user= (Userconnect) users.get (key);
if (Now.gettime ()-user.getfirstfailuretime (). GetTime () >maxfailureinterval)//delete timeout user
{
Set.add (key);
Logger.info ("Delete a timeout connection" +i);
i++;
}
}
if (i<5)//If delete less than 5, then forcibly delete 1/2 online records, sacrificing performance in case of guaranteed memory
{
int NUM=MAXONLINEUSER/2;
It=users.keyset (). iterator ();
while (It.hasnext () && I {
Set.add (It.next ());
Logger.info ("Removed an unwanted connection" +i);
i++;
}
}
Users.keyset (). RemoveAll (set);
}
}

}
catch (Exception e)
{
E.printstacktrace ();
}

}
Else
{
Break
}
}
Logger.info ("Watchdog run over!") ");
}
}
By checkloginvalidate to determine whether the legitimate login connection, if the legal continue, illegal execution
public static Boolean checkloginvalidate (String ip,string userName)//Check only the number of authentication failures
{
Boolean ret=true;
Date Now=new date ();
String key=ip+ ":" +username;
Userconnect auth= (Userconnect) users.get (key);
if (auth==null)//The user's current access information is added to the Users container
{
Auth=new Userconnect ();
Auth.setip (IP);
Auth.setusername (UserName);
Auth.setfailuretimes (0);
Auth.setfirstfailuretime (now);
Users.put (Key,auth);
if (checkthread==null) New Checktimeout (Thread.CurrentThread ());
}
Else
{
if (Auth.getfailuretimes () >maxfailuretimes)
{
Returns information that denies a user's connection if it is within a limited time interval
if ((Now.gettime ()-auth.getfirstfailuretime (). GetTime ()) {
Ret=false;
Auth.setstatus (-1);
}
else if (Auth.getstatus () ==-1 && (Now.gettime ()-auth.getfirstfailuretime (). GetTime () < ( Maxfailureinterval+waitinterval))//Reset counter
{
Ret=false;
}
Else
{
Auth.setfailuretimes (0);
Auth.setfirstfailuretime (now);
Auth.setstatus (0);
}

}
Number of logins plus 1
Auth.setfailuretimes (Auth.getfailuretimes () +1);
}
System.out.println (key+ ":" +auth.getfailuretimes () + ":" +ret+ ":" + (Now.gettime ()-auth.getfirstfailuretime (). GetTime ()));
return ret;
}

public static void Reset (String ip,string userName)/Reset User Information
{
Date Now=new date ();
String key=ip+ ":" +username;
Userconnect auth= (Userconnect) users.get (key);
if (auth==null)//The user's current access information is added to the Users container
{
Auth=new Userconnect ();
Auth.setip (IP);
Auth.setusername (UserName);
Auth.setfailuretimes (0);
Auth.setfirstfailuretime (now);
Users.put (Key,auth);
}
Else
{
Auth.setfailuretimes (0);
Auth.setfirstfailuretime (now);
}
}
public static void Remove (String ip,string userName)//delete user's record in container
{
String key=ip+ ":" +username;
Users.remove (key);
}
public static void Clear ()/empty container contents
{
if (!users.isempty ()) users.clear ();
}
public static long Getmaxfailureinterval () {
return maxfailureinterval;
}

public static void Setmaxfailureinterval (long maxfailureinterval) {
Userconnectmanage.maxfailureinterval = Maxfailureinterval;
}

public static int Getmaxfailuretimes () {
return maxfailuretimes;
}

public static void Setmaxfailuretimes (int maxfailuretimes) {
Userconnectmanage.maxfailuretimes = Maxfailuretimes;
}

public static int Getmaxonlineuser () {
return maxonlineuser;
}

public static void Setmaxonlineuser (int maxonlineuser) {
Userconnectmanage.maxonlineuser = Maxonlineuser;
}

public static long Getwaitinterval () {
return waitinterval;
}

public static void Setwaitinterval (long waitinterval) {
Userconnectmanage.waitinterval = Waitinterval;
}
Four, call the interface

Where intrusion detection is required, the Checkloginvalidate method in the Userconnectmanage class can be used directly. such as Easyjweb's core servlet

Code to invoke Userconnectmanage in Com.easyjf.web.ActionServlet:
if (! Userconnectmanage.checkloginvalidate (Request.getremoteaddr (), "Guest")
{
Info request,response,new Exception ("You are refreshing the page too quickly, please wait for" +userconnectmanage.getwaitinterval ()/1000+ seconds

And then refresh the page! "));
Return
}
　　
　　　　
V. Summary
Of course, the method provided here is just a simple implementation of the example, because the above user information is directly stored in memory, if the concurrent user is very large code occupancy, you can consider introducing a database to record the user's access information, of course, the corresponding implementation efficiency must be reduced. In the implementation described above, intrusion detection strategy is only the number of user visits and time interval of two elements, you can also according to your implementation of additional detection elements.