/*******************************************************************************
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*******************************************************************************/
package org.apache.ofbiz.webapp.control;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.UtilHttp;
import org.apache.ofbiz.base.util.UtilMisc;
import org.apache.ofbiz.base.util.UtilProperties;
import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.GenericEntityException;
import org.apache.ofbiz.entity.GenericValue;
import org.apache.ofbiz.entity.util.EntityQuery;
/**
* Common Workers
*/
public final class ProtectViewWorker {
private final static String module = ProtectViewWorker.class.getName();
private static final String resourceWebapp = "WebappUiLabels";
private static final Map<String, Long> hitsByViewAccessed = new ConcurrentHashMap<String, Long>();
private static final Map<String, Long> durationByViewAccessed = new ConcurrentHashMap<String, Long>();
private static final Long one = new Long(1);
private ProtectViewWorker () {}
/**
* An HTTP WebEvent handler that checks to see if an userLogin should be tarpitted
* The decision is made in regard of number of hits in last period of time
*
* @param request The HTTP request object for the current JSP or Servlet request.
* @param response The HTTP response object for the current JSP or Servlet request.
* @return String
*/
public static String checkProtectedView(HttpServletRequest request, HttpServletResponse response) {
HttpSession session = request.getSession();
String viewNameId = RequestHandler.getRequestUri(request.getPathInfo());
GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
Delegator delegator = (Delegator) request.getAttribute("delegator");
String returnValue = "success";
if (userLogin != null) {
String userLoginId = userLogin.getString("userLoginId");
try {
List<GenericValue> protectedViews = EntityQuery.use(delegator)
.from("UserLoginAndProtectedView")
.where("userLoginId", userLoginId, "viewNameId", viewNameId)
.cache(true)
.queryList();
// Any views to deal with ?
if (UtilValidate.isNotEmpty(protectedViews)) {
Long now = System.currentTimeMillis(); // we are not in a margin of some milliseconds
// Is this login/view couple already tarpitted ? (ie denied access to view for login for a period of time)
List<GenericValue> tarpittedLoginViews = EntityQuery.use(delegator)
.from("TarpittedLoginView")
.where("userLoginId", userLoginId, "viewNameId", viewNameId)
.cache(true)
.queryList();
String viewNameUserLoginId = viewNameId + userLoginId;
if (UtilValidate.isNotEmpty(tarpittedLoginViews)) {
GenericValue tarpittedLoginView = tarpittedLoginViews.get(0);
Long tarpitReleaseDateTime = (Long) tarpittedLoginView.get("tarpitReleaseDateTime");
if (now < tarpitReleaseDateTime) {
String tarpittedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.tarpitted_message", UtilHttp.getLocale(request));
// reset since now protected by the tarpit duration
hitsByViewAccessed.put(viewNameUserLoginId, new Long(0));
return ":_protect_:" + tarpittedMessage;
}
}
GenericValue protectedView = protectedViews.get(0);
// 1st hit ?
Long curMaxHits = hitsByViewAccessed.get(viewNameUserLoginId);
if (UtilValidate.isEmpty(curMaxHits)) {
hitsByViewAccessed.put(viewNameUserLoginId, one);
Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000;
durationByViewAccessed.put(viewNameUserLoginId, now + maxHitsDuration);
} else {
Long maxDuration = durationByViewAccessed.get(viewNameUserLoginId);
Long newMaxHits = curMaxHits + one;
hitsByViewAccessed.put(viewNameUserLoginId, newMaxHits);
// Are we in a period of time where we need to check if there was too much hits ?
if (now < maxDuration) {
// Check if over the max hit count...
if (newMaxHits > protectedView.getLong("maxHits")) { // yes : block and set tarpitReleaseDateTime
String blockedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.blocked_message", UtilHttp.getLocale(request));
returnValue = ":_protect_:" + blockedMessage;
Long tarpitDuration = (Long) protectedView.get("tarpitDuration") * 1000;
GenericValue tarpittedLoginView = delegator.makeValue("TarpittedLoginView");
tarpittedLoginView.set("userLoginId", userLoginId);
tarpittedLoginView.set("viewNameId", viewNameId);
tarpittedLoginView.set("tarpitReleaseDateTime", now + tarpitDuration);
try {
delegator.createOrStore(tarpittedLoginView);
} catch (GenericEntityException e) {
Debug.logError(e, "Could not save TarpittedLoginView:", module);
}
}
} else {
// The tarpit period is over, begin a new one.
// Actually it's not a discrete process but we do as it was...
// We don't need precision here, a theft will be caught anyway !
// We could also take an average of hits in the last x periods of time as initial value,
// but it does not make any more sense.
// Of course for this to work well the tarpitting period must be long enough...
hitsByViewAccessed.put(viewNameUserLoginId, one);
Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000;
durationByViewAccessed.put(viewNameUserLoginId, now + maxHitsDuration);
}
}
}
} catch (GenericEntityException e) {
Map<String, String> messageMap = UtilMisc.toMap("errMessage", e.getMessage());
String errMsg = UtilProperties.getMessage("CommonUiLabels", "CommonDatabaseProblem", messageMap, UtilHttp.getLocale(request));
Debug.logError(e, errMsg, module);
}
}
return returnValue;
}
}