Shulou(Shulou.com)06/02 Report--

This article mainly introduces what are the security risks in the use of HttpClient. It is very detailed and has a certain reference value. Friends who are interested must read it!

There are some headlines about the security risks in the use of HttpClient. Because this is not a HttpClient problem in itself, but a user problem.

Security risk scenario description:

Once big data's resources are requested, the HttpClient thread will be occupied for a long time. Even if the org.apache.commons.httpclient.HttpMethod#releaseConnection () method is called, it doesn't help.

If the requested resource is application-controllable, there is no problem. However, the usage scenario of our application is that the requested resources are input by the user, so we have to pay attention to this problem.

We tracked the releaseConnection code and found:

Org.apache.commons.httpclient.HttpMethodBase#releaseConnection ()

Public void releaseConnection () {try {if (this. ResponseStream! = null) {try {/ / FYI-this may indirectly invoke responseBodyConsumed. This .responseStream.close ();} catch (IOException ignore) {} finally {ensureConnectionRelease ();}}

Org.apache.commons.httpclient.ChunkedInputStream#close ()

Public void close () throws IOException {if (! Closed) {try {if (! Eof) {exhaustInputStream (this);}} finally {eof = true; closed = true;}

Org.apache.commons.httpclient.ChunkedInputStream#exhaustInputStream (InputStream inStream)

Static void exhaustInputStream (InputStream inStream) throws IOException {/ / read and discard the remainder of the message byte buffer [] = new byte [1024]; while (inStream.read (buffer) > = 0) {;}}

You see, the so-called discarding response is actually a response that has read a request, but does not do any processing.

Come to think of it, the design philosophy of HttpClient is to reuse HttpConnection, so it can't be forced close easily.

What shall I do? A friend said, there is a time out setting, the setting can be the following.

Let me first explain the two concepts of time out in Httpclient:

1.public static final String CONNECTION_TIMEOUT = "http.connection.timeout"

That is, the timeout for creating a socket connection: timeout in java.net.Socket#connect (SocketAddress endpoint, int timeout)

2.public static final String SO_TIMEOUT = "http.socket.timeout"

That is, the timeout in the timeout:java.net.Socket#setSoTimeout (int timeout) waiting for data in the read data process.

In my above scenario, neither of these timeout is satisfied, it is because the resources are too large, and it takes up a lot of request time.

The problem always needs to be solved, and the solution is as follows:

1. Manage all requests with DelayQueue

two。 Using an asynchronous thread monitoring to close requests for a very long time

The demo code is as follows:

Public class Misc2 {private static final DelayQueue

TIMEOUT_QUEUE = new DelayQueue

(); public static void main (String [] args) throws Exception {new Monitor (). Start (); / / timeout monitoring thread new Request (4). Start (); / / simulate * download new Request (3). Start (); / simulate the second download new Request (2). Start () / / simulate the third download} / * simulate a HttpClient request * * @ author Stone.J 2011-4-9 * / public static class Request extends Thread {private long delay; public Request (long delay) {this .delay = delay } public void run () {HttpClient hc = new HttpClient (); GetMethod req = new GetMethod ("http://www.python.org/ftp/python/2.7.1/Python-2.7.1.tgz") Try {TIMEOUT_QUEUE.offer (new Timeout (delay * 1000, hc.getHttpConnectionManager (); hc.executeMethod (req);} catch (Exception e) {System.out.println (e);} req.releaseConnection () }} / * Supervisor: monitor threads, through DelayQueue, block to get the most recently timed-out object Force the closure of * * @ author Stone.J 2011-4-9 * / public static class Monitor extends Thread {@ Override public void run () {while (true) {try {Timeout timeout = TIMEOUT_QUEUE.take () Timeout.forceClose ();} catch (InterruptedException e) {System.out.println (e) } / * using delay queue, the implementation of the Delayed interface allows timeout time according to the current time of the request + the request, and compare with the current time Determine if it has timed out * * @ author Stone.J 2011-4-9 * / public static class Timeout implements Delayed {private long debut Private long delay; private HttpConnectionManager manager; public Timeout (long delay, HttpConnectionManager manager) {this .debut = System.currentTimeMillis (); this .delay = delay; this .manager = manager } public void forceClose () {System.out.println (this .debut + ":" + this .delay); if (manager instanceof SimpleHttpConnectionManager) {((SimpleHttpConnectionManager) manager) .shutdown () } if (manager instanceof MultiThreadedHttpConnectionManager) {(MultiThreadedHttpConnectionManager) manager) .shutdown ();} @ Override public int compareTo (Delayed o) {if (o instanceof Timeout) {Timeout timeout = (Timeout) o If (this .debut + this .delay = = timeout.debut + timeout.delay) {return 0;} else if (this .debut + this .delay > timeout.debut + timeout.delay) {return 1 } else {return-1;}} return 0;} @ Override public long getDelay (TimeUnit unit) {return debut + delay-System.currentTimeMillis () } these are all the contents of this article entitled "what are the security risks in the use of HttpClient". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.