处理Tomcat servlet中的重复GET请求（由Trendmicro引起） [英] Handling duplicate GET requests (caused by Trendmicro) in a Tomcat servlet

问题描述

处理来自Apache Tomcat servlet中同一客户端的重复GET请求的最佳策略是什么？

What is the best strategy to deal with duplicate GET requests coming from the same client in an Apache Tomcat servlet?

基本上，我得到的是2个请求相隔几秒钟，第一个来自客户端的真实IP，第二个来自TrendMicro服务器（这看起来与描述的效果相同这里。

Basically, what I'm getting are 2 request a couple of seconds apart, the first from the client's real IP, the 2nd from a TrendMicro server (this appears to be the same effect as described here.

现在我的servlet忠实地为两个请求提供服务但稍后会产生问题（因为它调用了另一个远程服务）也许不能处理这种情况。）

Now my servlet faithfully serves both requests but produces problems later on (because it calls another remote service which most likely cannot deal with this situation either).

所以问题是，我如何阻止第二次请求？还是有其他策略来解决这个问题？

So the question is, how can I block the 2nd request? Or is there any other strategy to address this issue?

谢谢！

推荐答案

所以我刚发现这是造成的我的网站上也存在问题。我存储了客户在会话中请求的当前信息，但我得到了回复在看似随机的情况下，用户会查看一个客户信息，查看其他客户信息，添加评论，但评论最终会显示在第一个客户记录上。

So I've just found that this is causing problems on my website as well. I store the current information that a client has requested in the session, but I was getting reports of seemingly random situations where a user would be looking at one customers information, go to view another customers information, add a comment, but the comment ends up on the 1st customers record.

我今天找到了罪魁祸首。它是TrendMicro，镜像对查看第二个客户信息的真实用户和添加评论之间的第一个客户记录的调用。他们还欺骗cookie，这是主要问题。

I found the culprit today. It is TrendMicro, mirroring the call to the first customers record in between the real user viewing the second customers information and adding the comment. They also spoof the cookie, which is the main issue.

即。 1）真实IP呼叫客户1信息（信息存储在会话中）

Ie. 1) Real IP calls Customer 1 info (info gets stored in session)

2）真实IP呼叫客户2信息（信息存储在会话中，替换客户1信息）

2) Real IP calls Customer 2 info (info gets stored in session, replacing customer 1 info)

3）TrendMicro IP呼叫客户1信息（信息存储在会话中，替换客户2信息）

3) TrendMicro IP calls Customer 1 info (info gets stored in session, replacing Customer 2 info)

4）Real IP添加了评论，该评论被添加到会话中存储的客户，现在，感谢TrendMicro，客户1。

4) Real IP adds comment, which gets added to the customer stored in session, which now, thanks to TrendMicro, is Customer 1.

解决方案？ - 我添加了一个检查，以确保我们只为来自登录的IP地址的呼叫提供服务。

The Solution? - I added a check to ensure that we only service calls originating from the IP address that logged in.

为此，您需要做两件事。

To do this, You need to do 2 things.

1）在您的登录代码上，在您验证登录凭据后，使用以下代码将用户IP地址存储在会话中：

1) On your login code, after you have validated the login credentials, Store the users IP address in the session using this code:

session.setAttribute("LoginIPAddress", request.getRemoteAddr());

接下来，编写一个实现javax.servlet.Filter接口的类。

Next, write a class that implements the javax.servlet.Filter interface.

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpSession;
public class ServletUserAuthenticationFilter implements Filter {


    // ----------------------------------------------------- Instance Variables


    /**
     * The default character forwardTo to set for requests that pass through
     * this filter.
     */
    protected String forwardTo = null;


    /**
     * Take this filter out of service.
     */
    public void destroy() {
        this.forwardTo = null;
    }

    /**
     * Select and set (if specified) the character forwardTo to be used to
     * interpret request parameters for this request.
     *
     * @param request The servlet request we are processing
     * @param result The servlet response we are creating
     * @param chain The filter chain we are processing
     *
     * @exception IOException if an input/output error occurs
     * @exception ServletException if a servlet error occurs
     */
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain)
    throws IOException, ServletException {

        javax.servlet.http.HttpServletRequest httpRequest = (javax.servlet.http.HttpServletRequest)request;
        HttpSession session = httpRequest.getSession();

        // Is there a valid session?
        // We now also redirect requests if the remote IP Address is not the same address that originally signed in
        if(!httpRequest.getRequestURI().equals(httpRequest.getContextPath()+"/services/login") && !httpRequest.getRequestURI().equals(httpRequest.getContextPath()+"/services/logout")
                && (((session==null || session.getAttribute("userData")==null))
                || (session!=null && session.getAttribute("LoginIPAddress")!=null && !session.getAttribute("LoginIPAddress").equals(httpRequest.getRemoteAddr())))){
            // An Https page has been requested, but no valid session has been found, ao forward the user to the page indicated by forwardTo
            javax.servlet.http.HttpServletResponse httpResponse = (javax.servlet.http.HttpServletResponse)response;
            StringBuffer logonQuery = new StringBuffer();
            logonQuery.append(httpRequest.getScheme());
            logonQuery.append("://");
            logonQuery.append(request.getServerName());
            logonQuery.append(":");
            logonQuery.append(httpRequest.getLocalPort());
            logonQuery.append(httpRequest.getContextPath());
            logonQuery.append(forwardTo);
            session = httpRequest.getSession(true);
            session.setAttribute("MESSAGE", "Your session has expired. Please login again");
            httpResponse.sendRedirect(logonQuery.toString());
            return;
        }

        // Pass control on to the next filter
        chain.doFilter(request, response);

    }


    /**
     * Place this filter into service.
     *
     * @param filterConfig The filter configuration object
     */
    public void init(FilterConfig filterConfig) throws ServletException {

        this.forwardTo = filterConfig.getInitParameter("forwardTo");
    }


}

我有一些额外检查您可能不需要的代码，但主要部分检查是！session.getAttribute（LoginIPAddress）。equals（httpRequest.getRemoteAddr（））

I have some extra check in this code that you may not need, but the main section check is !session.getAttribute("LoginIPAddress").equals(httpRequest.getRemoteAddr())

最后，您需要在每次服务器收到请求时运行此代码，方法是将其添加到您的web.xml

Finally, you need to make this code run each time your server receives a request by adding this to your web.xml

  <filter>
    <filter-name>Check User Has Logged In</filter-name>
    <filter-class>au.com.mySystem.utils.filter.ServletUserAuthenticationFilter</filter-class>
    <init-param>
      <param-name>forwardTo</param-name>
      <param-value>/pages/loginForwarder.jsp</param-value>
    </init-param>
  </filter>

我的代码现在再次正常工作（不，谢谢TrendMicro）

My code is now working correctly again (No thanks to TrendMicro)

这篇关于处理Tomcat servlet中的重复GET请求（由Trendmicro引起）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！