I made a JSR-356 @ServerEndpoint
in which I want to limit alive connections from single IP address, to prevent simple DDOS attacks.
Note that I'm search for Java solution (JSR-356, Tomcat or Servlet 3.0 specs).
I have tried custom endpoint configurer but I don't have access to IP address even in HandshakeRequest
object.
How to limit JSR-356 connection count from single IP address without external software like iptables?
According to Tomcat developer @mark-thomas client IP is not exposed via JSR-356 thus it is impossible to implement such a function with pure JSR-356 API-s.
You have to use a rather ugly hack to work around the limitation of the standard.
What needs to be done boils down to:
There are at least two hacky options to achieve that.
ServletRequestListener
request.getSession()
on incoming request to ensure it has a session and store client IP as a session attribute.ServerEndpointConfig.Configurator
that lifts client IP from HandshakeRequest#getHttpSession
and attaches it to EndpointConfig
as a user property using the modifyHandshake
method.EndpointConfig
user properties, store it in map or whatever and trigger cleanup logic if the number of sessions per IP exceeds a threshold.You can also use a @WebFilter
instead of ServletRequestListener
Note that this option can have a high resource consumption unless your application already uses sessions e.g. for authentication purposes.
/mychat
ServletRequest#getRequestDispatcher
to forward the request to /mychat/TOKEN
@ServerEndpoint("/mychat/{token}")
@PathParam
and decrypt to get client IP. Store it in map or whatever and trigger cleanup logic if the number of sessions per IP exceeds a threshold.For ease of installation you may wish to generate encryption keys on application startup.
Please note that you need to encrypt the IP even if you are doing an internal dispatch that is not visible to the client. There is nothing that would stop an attacker from connecting to /mychat/2.3.4.5
directly thus spoofing the client IP if it's not encrypted.
See also: