On Thu, Apr 16, 2009 at 01:48:37PM +0200, Joerg Bullmann wrote: > Hi all, > > Say I have some kind of login mechansim of a web application. I would like to > insert an artificial delay of 5 or 10 seconds in case the login fails (due to > wrong password or user name) to make it a tad more awkward for poeople to > break in using the brute force method. > > Now all I want to do is slow down that connection. How do I do this with the > least impact on the overall system? I don't just want the worker thread > dealing with this request to sleep because that effectively blocks it and > thus has an impact on the rest. I am using HTTP Core NIO. > > Which would be a good approach? I have looked at lots of the example code > before, but do not remember this kind of thing being mentioned. > > I am asking because I would like to add this feature in the Little Portal > Gizmo <http://lipog.sourceforge.net>. > > Any pointers? >
Hi Joerg, This can be fairly easily done with HttpCore NIO without an additional execution thread or blocking the I/O tread. However, most likely you will have to implement a custom NHttpServiceHandler to get it done. Here's what you have to do (1) After a complete HTTP request has been received, execute user authentication logic of your choice. If authentication fails, disable both input and output events on that connection and set connection timeout to something like 3 seconds. The connection will be effectively disabled. (2) NHttpServiceHandler#timeout will fire approximately 3 seconds later. Reset the timeout to its default value and enable input and output events. (3) NHttpServiceHandler# responseReady will fire at some point of time indicating the connection is ready to accept a response. (4) Submit a 401 response to the user. That is it. Oleg > Cheers, > Joerg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
