登录接口防攻击 03

最新推荐文章于 2022-08-07 16:20:52 发布

调皮的芋头

最新推荐文章于 2022-08-07 16:20:52 发布

阅读量174

点赞数

分类专栏： java 文章标签：防攻击攻防登录攻击频繁登录

java 专栏收录该内容

314 篇文章 0 订阅

订阅专栏

接着前两篇日志

http://hw1287789687.iteye.com/blog/2215776

http://hw1287789687.iteye.com/blog/2216493

我之前遇到过忘记路由器密码的情况,我在192.168.1.1的登录界面尝试可能的密码,希望能够猜中,但是输错3次之后,就必须等待5分钟,我们可以借鉴这种策略.

连续3次登录失败,就锁定5分钟(5分钟之内无视登录请求)

解释:

连续登录失败3次,就设置isLocked为true,表示锁定,并设置定时器,任务是5分钟之后设置isLocked为false.

服务器接受到登录请求时,在查询数据库之前先判断是否锁定,若isLocked为true,则不用查询数据库,直接返回登录失败.若isLocked为false,则正常查询数据库.

被锁定之后,必须等待5分钟,若锁定之后登录,则定时器重新计时.

比如我等待了2分钟,还要等3分钟,我就又可以登录了.但是还需要等3分钟的时候我还去登录,那么定时器从此刻开始计时,即我又要等待5分钟.

在锁定期间,接收登录请求不会访问数据库.

具体实现:

(a)spring 的aop

在登录校验方法处添加aop切面,类型是around

上代码:

package com.shop.jn.aop;

import java.util.Timer;

import org.apache.log4j.Logger;
import org.aspectj.lang.ProceedingJoinPoint;

import com.common.entity.user.interf.GenericUser;
import com.common.util.LoginUtil;
import com.common.util.SystemHWUtil;
import com.opensymphony.xwork2.Action;
import com.shop.jn.common.MyTask;
import com.shop.jn.listener.UploadedFilesServletContextListener;

public class LoginTimesAop {
	private Logger logger = Logger.getLogger(this.getClass());
	private int timesFail = 0;
	private Timer timer = new Timer();
	private MyTask task = null;
	/***
	 * 因连续登录失败的次数达到上限，而锁定：规定时间内无法登录
	 */
	private boolean isLocked = false;
	private String classSimpleName = this.getClass().getSimpleName();

	public LoginTimesAop() {
		super();
		logger.info("aop:constructor.");
	}

	public void before3(GenericUser user) {
		System.out.println("user:" + user.getUsername());
		logger.info("aop:before3");
	}

	// public void monitor(String username, String passwd) {
	// timesFail++;
	// logger.info("aop:-------------------------------------");
	// logger.info("username:" + username + " , password:" + passwd);
	// System.out.println("username:" + username + " , password:" + passwd);
	// System.out.println("times of fail:" + timesFail+" times.");
	// }

	// ,ProceedingJoinPoint call
	public Object around(ProceedingJoinPoint call, GenericUser user)
			throws Throwable {
		if(!UploadedFilesServletContextListener.isLimitLoginFailedThreeTimes){
			return call.proceed();
		}
		String aop_info = "aop[" + classSimpleName + "]:";
		// logger.info(aop_info + "This is around method.");
		// logger.info("username:" + user.getUsername() + " ,password:"
		// + user.getPassword());

		Object[] obj;
		if (!isLocked()) {// 没有锁定
			//com.common.service.impl.SUserService  Object[] login(String username,String passwd)
			obj = (Object[]) call.proceed();//负责登录校验的,真正干活的.
			int resultCode = (Integer) obj[0];
			if (resultCode == LoginUtil.LOGIN_RESULT_SUCCESS) {
				timesFail = 0;
			} else {// 登录失败
				timesFail++;
				logger.info(aop_info + "times of fail:" + timesFail + " times.");
			}
		} else {
			logger.info("账号已被锁定");
			obj = new Object[2];
		}
		// 连续登录失败超过3次
		if (UploadedFilesServletContextListener.isLimitLoginFailedThreeTimes/*
																			 * 是否限定连续登录失败三次就锁定
																			 */
				&& timesFail >= LoginUtil.MAX_LOGIN_FAIL_TIMES) {
			// ValueStack stack = actionContext.getValueStack();
			// stack.set("MESSAGE_IS_LOGIN", "You have failed " + timesFail
			// + " times.");

			if (isLocked()) {// over three times and is still locked,meanwhile use
							// try to log in
				if (task != null) {
					logger.info(aop_info + " cancel task.");
					task.cancel();
					task = null;
				}
			} else {// first into this if clause(if (timesFail >=
					// LoginUtil.MAX_LOGIN_FAIL_TIMES ))
				task = null;
			}
			if (timer == null) {
				timer = new Timer();
			}

			if (task == null) {
				task = new MyTask(this);
			}
			logger.info(aop_info + "start task....");
			timer.schedule(task, LoginUtil.MILLISECONDS_WAIT_WHEN_FAIL);
			setLocked(true);
			// Object[] results = new Object[2];
			obj[0] = LoginUtil.LOGIN_RESULT_OVER_TIMES;/*
														 * You have failed three
														 * times.
														 */
			// return results;// not success
			logger.info(SystemHWUtil.DIVIDING_LINE);
		}
		return obj;
	}

	// public void before() {
	// logger.info("aop:This is before method:user try to log in......");
	// System.out.println("aop:before");
	// }

	public void afterReturning(Object retVal) {
		logger.info("aop:return code:" + (String) retVal);
		if (retVal == null || !retVal.equals(Action.SUCCESS)) {
			logger.warn("aop:login failed!");
		}
	}

	// public void before2(User user){
	// logger.info("aop:This is before2 method:user try to log in......");
	// logger.info("username:" + user.getUsername() + " , password:" +
	// user.getPassword());
	// }

	public int getTimesFail() {
		return timesFail;
	}

	public void setTimesFail(int timesFail) {
		this.timesFail = timesFail;
	}

	public synchronized boolean isLocked() {
		return isLocked;
	}

	public synchronized void  setLocked(boolean isLocked) {
		this.isLocked = isLocked;
	}

}

定时器执行的任务

public class MyTask extends java.util.TimerTask{
	private LoginTimesAop loginTime;
	
	public MyTask(LoginTimesAop loginTime) {
		super();
		this.loginTime=loginTime;
	}

	@Override
	public void run() {
		loginTime.setTimesFail(0);
		loginTime.setLocked(false);
	}
}

aop配置:

<aop:pointcut id="userServicePointcut"
			expression="execution(* com.common.service.impl.SUserService.login(..)) and args(..,user2)" />
		<aop:aspect id="myAspect" ref="loginTimesAop">
			<aop:before method="before3" arg-names="user2" pointcut-ref="userServicePointcut" 
				/>
			<aop:around pointcut-ref="userServicePointcut" method="around"
				arg-names="user2" />
		</aop:aspect>

(b)spring MVC中的拦截器,需继承org.springframework.web.servlet.HandlerInterceptor

关于拦截器参考:spring mvc xml配置拦截器

拦截器的demo

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

public class HandlerInterceptor1 extends HandlerInterceptorAdapter {
	@Override  
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {  
        System.out.println("===========HandlerInterceptor1 preHandle");  
        return true;  
    }  
    @Override  
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {  
        System.out.println("===========HandlerInterceptor1 postHandle");  
    }  
    @Override  
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {  
        System.out.println("===========HandlerInterceptor1 afterCompletion");  
    }  
}

参考:http://hw1287789687.iteye.com/blog/2215776

http://hw1287789687.iteye.com/blog/2216493