org.hd.d.pg2k.webSvr.exhibit
Class ServletUtils

java.lang.Object
  org.hd.d.pg2k.webSvr.exhibit.ServletUtils

public final class ServletUtils
extends java.lang.Object

Servlet-related utility functions. This mainly consists of small support routines for servlets in this package.

DEFAULT_MAX_HOTLINK_REQ_PERCENT

private static final int DEFAULT_MAX_HOTLINK_REQ_PERCENT

Default maximum percent of all exhibit requests that may come from one external source without us blocking them. Normally in the range [1,100].

A value of a few percent should allow legitimate referrals from bona fide image search engines and low volumes of traffic from small sites that we don't object to, but should veto egregious heavy misuse of bandwidth.

At 20050205 a threshold of about 25% would just about let in all legitimate referrals from the highest-volume search engines (images.search.yahoo.com, images.google.com) and disallow most of the unwanted hotlinking from third-party sights. This should prove itself to be reasonably conservative, and is used if no explicit GenProps values is supplied.

As of 20100606 the value that had been in use for some time was 5%.

See Also:

Constant Field Values

DELAY_HOTLINKER_WITH_YIELD

private static final boolean DELAY_HOTLINKER_WITH_YIELD

If true, allow Thread.yield() to delay the response to a hotlinker. The downside of doing this is it ties up response threads for longer and may prevent the server answering legitimate requests, ie appear busy.

See Also:

Constant Field Values

ServletUtils

private ServletUtils()

Prevent construction of an instance.

noteAndOrBlockHotlinker

static boolean noteAndOrBlockHotlinker(javax.servlet.ServletContext context,
                                       javax.servlet.http.HttpServletRequest request,
                                       java.lang.String normalisedReferringHost,
                                       SimpleVariablePipelineIF vars,
                                       GenProps gp)

Check if an apparent hotlinked request for an (exhibit or thumbnail) should be blocked. Makes a note of the request (even "" referrals that we will never block), and if the referrer is especially egregious will return false to suggest rejecting the request.

Absent or unparsable referrer URLs are not blocked by this mechanism (as these may be spiders or users running with "Referer" turned off for security reasons). They are dealt with in other ways.

Only call this where the referring URL seems dubious.

Algorithm for blocking requests by referrer:

1. If the host is on the "allow" list, then allow the request.
2. Else if the host is on the "block" list, then block the request.
3. If there were no hotlinks from this host yesterday, then block the request. The aim of this is to discourage people setting up hotlinks to start with from their own pages since they just won't work.
4. Else if the requests from this referrer today/yesterday have amounted to (say) 10% or more of all exhibit requests in that period, then block the request. (Note that thumbnail requests should normally be much less common than exhibit requests because they can be cached for a very long time.)

Only package visible since only needed by servlets in this package.

Parameters:

request - the incoming request; never null

normalisedReferringHost - the normalised hotlinking host's name; never null

vars - the DataSource; never null

Returns:

true if this request should probably be blocked