I am looking to protect my Tomcat-based web apps from bots and other infected and compromised systems. I have been doing some research, and found this article on Apache HTTPD and an apache module named mod_access_rbl. Is there anything similar that is available for Tomcat, implemented as either a servlet or a valve?
B Clark wrote:
Any other ideas you might have in protecting web apps from bots would be welcomed.
Don't invent your own security service. Use one that's been tested and proven. Pretty much every do-it-yourself login/authentication system I've seen has had major flaws. No small number of them resemble the stereotypical Western town movie sets, where all that exists is the front of the building, so all you have to do is (figuratively speaking) walk around to the side. Even the better ones tend to break down once they go into maintenance mode and people who don't understand the rules get their hands on the code.
J2EE has a built-in security framework that will actually block really offensive URL requests from even getting to the application at all. While there are things I could do to improve it, I've managed to use it - or frameworks based on it - for pretty much all my security needs, and I work in areas where security is a little more critical than some people's.
An IDE is no substitute for an Intelligent Developer.
Joined: Oct 09, 2009
William Brogden wrote:The servlet API provides all you would need to keep track of blacklisted IP addresses and reject connections from them.
The equivalent of that Apache module would be a javax.servlet.Filter implementation which could track a list of IP addresses.
A google search for "servlet blacklist filter" found some examples.