接着前两篇日志
http://hw1287789687.iteye.com/blog/2215776
http://hw1287789687.iteye.com/blog/2216493
我之前遇到过忘记路由器密码的情况,我在192.168.1.1的登录界面尝试可能的密码,希望能够猜中,但是输错3次之后,就必须等待5分钟,我们可以借鉴这种策略.
连续3次登录失败,就锁定5分钟(5分钟之内无视登录请求)
解释:
连续登录失败3次,就设置isLocked为true,表示锁定,并设置定时器,任务是5分钟之后设置isLocked为false.
服务器接受到登录请求时,在查询数据库之前先判断是否锁定,若isLocked为true,则不用查询数据库,直接返回登录失败.若isLocked为false,则正常查询数据库.
被锁定之后,必须等待5分钟,若锁定之后登录,则定时器重新计时.
比如我等待了2分钟,还要等3分钟,我就又可以登录了.但是还需要等3分钟的时候我还去登录,那么定时器从此刻开始计时,即我又要等待5分钟.
在锁定期间,接收登录请求不会访问数据库.
具体实现:
(a)spring 的aop
在登录校验方法处添加aop切面,类型是around
上代码:
- package com.shop.jn.aop;
- import java.util.Timer;
- import org.apache.log4j.Logger;
- import org.aspectj.lang.ProceedingJoinPoint;
- import com.common.entity.user.interf.GenericUser;
- import com.common.util.LoginUtil;
- import com.common.util.SystemHWUtil;
- import com.opensymphony.xwork2.Action;
- import com.shop.jn.common.MyTask;
- import com.shop.jn.listener.UploadedFilesServletContextListener;
- public class LoginTimesAop {
- private Logger logger = Logger.getLogger(this.getClass());
- private int timesFail = 0;
- private Timer timer = new Timer();
- private MyTask task = null;
- /***
- * 因连续登录失败的次数达到上限,而锁定:规定时间内无法登录
- */
- private boolean isLocked = false;
- private String classSimpleName = this.getClass().getSimpleName();
- public LoginTimesAop() {
- super();
- logger.info("aop:constructor.");
- }
- public void before3(GenericUser user) {
- System.out.println("user:" + user.getUsername());
- logger.info("aop:before3");
- }
- // public void monitor(String username, String passwd) {
- // timesFail++;
- // logger.info("aop:-------------------------------------");
- // logger.info("username:" + username + " , password:" + passwd);
- // System.out.println("username:" + username + " , password:" + passwd);
- // System.out.println("times of fail:" + timesFail+" times.");
- // }
- // ,ProceedingJoinPoint call
- public Object around(ProceedingJoinPoint call, GenericUser user)
- throws Throwable {
- if(!UploadedFilesServletContextListener.isLimitLoginFailedThreeTimes){
- return call.proceed();
- }
- String aop_info = "aop[" + classSimpleName + "]:";
- // logger.info(aop_info + "This is around method.");
- // logger.info("username:" + user.getUsername() + " ,password:"
- // + user.getPassword());
- Object[] obj;
- if (!isLocked()) {// 没有锁定
- //com.common.service.impl.SUserService Object[] login(String username,String passwd)
- obj = (Object[]) call.proceed();//负责登录校验的,真正干活的.
- int resultCode = (Integer) obj[0];
- if (resultCode == LoginUtil.LOGIN_RESULT_SUCCESS) {
- timesFail = 0;
- } else {// 登录失败
- timesFail++;
- logger.info(aop_info + "times of fail:" + timesFail + " times.");
- }
- } else {
- logger.info("账号已被锁定");
- obj = new Object[2];
- }
- // 连续登录失败超过3次
- if (UploadedFilesServletContextListener.isLimitLoginFailedThreeTimes/*
- * 是否限定连续登录失败三次就锁定
- */
- && timesFail >= LoginUtil.MAX_LOGIN_FAIL_TIMES) {
- // ValueStack stack = actionContext.getValueStack();
- // stack.set("MESSAGE_IS_LOGIN", "You have failed " + timesFail
- // + " times.");
- if (isLocked()) {// over three times and is still locked,meanwhile use
- // try to log in
- if (task != null) {
- logger.info(aop_info + " cancel task.");
- task.cancel();
- task = null;
- }
- } else {// first into this if clause(if (timesFail >=
- // LoginUtil.MAX_LOGIN_FAIL_TIMES ))
- task = null;
- }
- if (timer == null) {
- timer = new Timer();
- }
- if (task == null) {
- task = new MyTask(this);
- }
- logger.info(aop_info + "start task....");
- timer.schedule(task, LoginUtil.MILLISECONDS_WAIT_WHEN_FAIL);
- setLocked(true);
- // Object[] results = new Object[2];
- obj[0] = LoginUtil.LOGIN_RESULT_OVER_TIMES;/*
- * You have failed three
- * times.
- */
- // return results;// not success
- logger.info(SystemHWUtil.DIVIDING_LINE);
- }
- return obj;
- }
- // public void before() {
- // logger.info("aop:This is before method:user try to log in......");
- // System.out.println("aop:before");
- // }
- public void afterReturning(Object retVal) {
- logger.info("aop:return code:" + (String) retVal);
- if (retVal == null || !retVal.equals(Action.SUCCESS)) {
- logger.warn("aop:login failed!");
- }
- }
- // public void before2(User user){
- // logger.info("aop:This is before2 method:user try to log in......");
- // logger.info("username:" + user.getUsername() + " , password:" +
- // user.getPassword());
- // }
- public int getTimesFail() {
- return timesFail;
- }
- public void setTimesFail(int timesFail) {
- this.timesFail = timesFail;
- }
- public synchronized boolean isLocked() {
- return isLocked;
- }
- public synchronized void setLocked(boolean isLocked) {
- this.isLocked = isLocked;
- }
- }
定时器执行的任务
- public class MyTask extends java.util.TimerTask{
- private LoginTimesAop loginTime;
- public MyTask(LoginTimesAop loginTime) {
- super();
- this.loginTime=loginTime;
- }
- @Override
- public void run() {
- loginTime.setTimesFail(0);
- loginTime.setLocked(false);
- }
- }
aop配置:
- <aop:pointcut id="userServicePointcut"
- expression="execution(* com.common.service.impl.SUserService.login(..)) and args(..,user2)" />
- <aop:aspect id="myAspect" ref="loginTimesAop">
- <aop:before method="before3" arg-names="user2" pointcut-ref="userServicePointcut"
- />
- <aop:around pointcut-ref="userServicePointcut" method="around"
- arg-names="user2" />
- </aop:aspect>
(b)spring MVC中的拦截器,需继承org.springframework.web.servlet.HandlerInterceptor
关于拦截器参考:spring mvc xml配置拦截器
拦截器的demo
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.springframework.web.servlet.ModelAndView;
- import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
- public class HandlerInterceptor1 extends HandlerInterceptorAdapter {
- @Override
- public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
- System.out.println("===========HandlerInterceptor1 preHandle");
- return true;
- }
- @Override
- public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
- System.out.println("===========HandlerInterceptor1 postHandle");
- }
- @Override
- public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
- System.out.println("===========HandlerInterceptor1 afterCompletion");
- }
- }
参考:http://hw1287789687.iteye.com/blog/2215776
http://hw1287789687.iteye.com/blog/2216493