Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Talking about CAPTCHA from the construction of distributed second kill system

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Preface

In order to intercept most of the requests, the verification code is introduced at the front end of the second kill case. Many people on Taobao complain that when the input of flash sale activity is over, yes, it is over. Of course, the real function of CAPTCHA is to effectively intercept the operation of brushing and let econnoisseur go home empty-handed.

Verification code

So what exactly is a CAPTCHA? As a means of man-machine identification, the ultimate goal of CAPTCHA is to distinguish the operation of normal people and machines. Our common Internet registration, login, posting, getting coupons, voting and other application scenarios all have the risk of all kinds of losses caused by machine brushing.

At present, most of the common forms of CAPTCHA are picture CAPTCHA, that is, traditional character CAPTCHA in the form of numbers, letters, text, picture objects and so on. This kind of CAPTCHA seems simple and easy to operate, but the actual user experience is poor (see 12306 website), and with the use of OCR technology and coding platform, images are relatively easy to crack.

Here we use Tencent's intelligent man-machine security verification code to bid farewell to the single point of defense of the traditional verification code, and ten security fences to create a three-dimensional and comprehensive security verification to shut out the underground industry.

Scene

Let's take a look at which scenario security problems can be easily solved by CAPTCHA:

Log in and register, protect you from hitting the library, stop the batch registration activities of the registration machine, effectively intercept the operation of brushing, let econnoisseur return and send likes and posts empty-handed, effectively solve the problems of advertising slaughtering, malicious irrigation and ticket brushing, data protection, prevent automata and crawlers from stealing web content and data applications

Application address: https://007.qq.com/product.html

Online experience: https://007.qq.com/online.html

As long as a QQ can be applied for free, for general corporate OA systems or personal blog sites, the CAPTCHA free package is enough, with the following features:

2000 times / hour security protection support verification-free + hierarchical verification three-minute fast access full-feature configuration background support HTTPS threshold traffic without advertising

2000 times per hour of security protection, generally rarely achieve such an effect, of course, immediately exceed the threshold, at most is only multiple advertisements.

Access

Fast read access: https://007.qq.com/quick-start.html

Access and help provides a variety of client-side and server-side access cases, where we use the Java language that we are most familiar with in the second-kill case.

Front end

Introduce JS:

Page elements:

Verification

JS callback:

Window.callback = function (res) {console.log (res) / / res (failed verification) = {ret: 1, ticket: null} / / res (verification succeeded) = {ret: 0, ticket: "String", randstr: "String"} if (res.ret = 0) {startSeckill (res)}} / / background verification ticket And enter the second kill queue function startSeckill (res) {$.ajax ({url: "startSeckill", type: 'post', data: {' ticket': res.ticket,'randstr':res.randstr}, success: function (result) {/ / verify whether it is passed, prompt the user}}) } backend @ Api (tags = "second kill merchandise") @ RestController@RequestMapping ("/ seckillPage") public class SeckillPageController {@ Autowired private ActiveMQSender activeMQSender; / / Custom tool class @ Autowired private HttpClient httpClient; / / here self-configuration parameter @ Value ("${qq.captcha.url}") private String url; @ Value ("${qq.captcha.aid}") private String aid @ Value ("${qq.captcha.AppSecretKey}") private String appSecretKey; @ RequestMapping ("/ startSeckill") public Result startSeckill (String ticket,String randstr,HttpServletRequest request) {HttpMethod method = HttpMethod.POST; MultiValueMap params= new LinkedMultiValueMap (); params.add ("aid", aid); params.add ("AppSecretKey", appSecretKey); params.add ("Ticket", ticket); params.add ("Randstr", randstr) Params.add ("UserIP", IPUtils.getIpAddr (request)); String msg = httpClient.client (url,method,params) / * response: 1: verification succeeded, 0: verification failed, 100:AppSecretKey parameter verification error [required] * evil_level: [0100] Malicious level [optional] * err_msg: verify error message [optional] * / / {"response": "1", "evil_level": "0", "err_msg": "OK"} JSONObject json = JSONObject.parseObject (msg) String response = (String) json.get ("response"); if ("1" .equals (response)) {/ / enter the queue, fake data only Destination destination = new ActiveMQQueue ("seckill.queue"); activeMQSender.sendChannelMess (destination,1000+ ";" + 1); return Result.ok ();} else {return Result.error ("Verification failure") }}}

Custom request tool class HttpClient:

@ Servicepublic class HttpClient {public String client (String url, HttpMethod method, MultiValueMap params) {RestTemplate client = new RestTemplate (); HttpHeaders headers = new HttpHeaders (); / / do not easily change this submission method. In most cases, the submission method is form submission headers.setContentType (MediaType.APPLICATION_FORM_URLENCODED); HttpEntity requestEntity = new HttpEntity (params, headers) / / execute HTTP request ResponseEntity response = client.exchange (url, HttpMethod.POST, requestEntity, String.class); return response.getBody ();}}

Get the IP address utility class IPUtils:

/ * IP address * / public class IPUtils {private static Logger logger = LoggerFactory.getLogger (IPUtils.class) / * * obtain IP address * using reverse proxy software such as Nginx, you cannot obtain IP address through request.getRemoteAddr () * if multi-level reverse proxy is used, the value of X-Forwarded-For is not one, but a string of IP addresses, the first valid IP string in X-Forwarded-For that is not unknown Is the real IP address * / public static String getIpAddr (HttpServletRequest request) {String ip = null Try {ip = request.getHeader ("x-forwarded-for"); if (StringUtils.isEmpty (ip) | | "unknown" .equals IgnoreCase (ip)) {ip = request.getHeader ("Proxy-Client-IP") } if (StringUtils.isEmpty (ip) | | ip.length () = = 0 | | "unknown" .equalsIgnoreCase (ip)) {ip = request.getHeader ("WL-Proxy-Client-IP");} if (StringUtils.isEmpty (ip) | | "unknown" .equalsIgnoreCase (ip)) {ip = request.getHeader ("HTTP_CLIENT_IP") } if (StringUtils.isEmpty (ip) | | "unknown" .equalsIgnoreCase (ip)) {ip = request.getHeader ("HTTP_X_FORWARDED_FOR");} if (StringUtils.isEmpty (ip) | | "unknown" .equalsIgnoreCase (ip)) {ip = request.getRemoteAddr () }} catch (Exception e) {logger.error ("IPUtils ERROR", e) } / / using proxy, get the first IP address if (StringUtils.isEmpty (ip) & & ip.length () > 15) {if (ip.indexOf (",") > 0) {ip = ip.substring (0, ip.indexOf (","));}} return ip;}} case effect diagram

Start project access: http://localhost:8080/seckill/1000.shtml

Custom access

When logging in to the system, we need to verify the user name and password first, and then call the CAPTCHA operation. Here we need to customize the access.

Login to login: function () {/ / verify the username and password / / generate a CAPTCHA object var captcha = new TencentCaptcha ('2001344788verification, function (res) {if (res.ret = 0) {/ / callback successful var data = {' username':username,'password':password,'ticket':res.ticket) 'randstr':res.randstr} $.ajax ({type: "POST", url: "sys/loginCaptcha", data: data, dataType: "json", success: function (result) {/ / verify whether success}}) }}); captcha.show (); / / display verification code}, backend monitoring

Tencent backend also provides simple and practical data monitoring, as follows:

Summary

Generally speaking, it is very convenient for the system to access the man-machine verification code, and there is no technical difficulty, the difficulty has been encapsulated by the provider, we only need a simple call.

Second kill case: https://gitee.com/52itstyle/spring-boot-seckill

Demo case (click the generate button): http://jichou.52itstyle.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report