问题
I'm looking for a servlet filter library that helps me secure our web service against unauthorized usage and DDoS.
We have "authorized clients" for our web service, so ideally the filter would help detect clients that aren't authorized or behave improperly, or detect multiple people using the same account. Also we need a way to prevent DoS'ing of our various services since we have an open-account policy -- limiting the number of simultaneous connections for a user, etc.
We've looked at the Tomcat LockOutFilter and such but those are fairly primitive and only prevent against one sort of attack.
Of course there are many application-specific components of the solution, but I was wondering if someone had written up a general solution as a starting point.
回答1:
Apache Shiro is an interesting security solution (it was called jSecurity before joining Apache.org). I find their source code much easier to understand and tweak for my needs, and also to integrate it.
回答2:
iTransformers DDOS servlet filter is a good example for a servlet filter able to apply Remotely Triggered Black holing https://tools.ietf.org/html/rfc5635 which is the only real/good and scalable way to defend yourself from a DDOS attacks.
回答3:
If you are using Spring then Acegi security is pretty complete.
Here is a series of tutorial articles.
It looks like you might be able to run this without needing Spring everywhere, See here.
来源:https://stackoverflow.com/questions/3112663/servlet-filters-for-abuse-prevention-dos-spam-etc