tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Cassidy" <>
Subject Re: method to protect webapps from users
Date Wed, 27 Oct 2004 09:49:46 GMT


I'm very interrested in this.
how does it work ?
does it send the request as normal then only set the 'ive finished' flag to true when its
got the end of the content
from the orig request ?

does the application care / notice ?

tell me more !

Kind regards
David Cassidy

                      27/10/2004 09:23         Subject:  method to protect webapps from users
                      Please respond to                                                  
                      Developers List"                                                   

hi guys,

I'm new to this list, but a long time user of Tomcat.  For a long time now
I've had a problem which I'm sure most of you are familiar with ; users.

As always happens with any app in development the final tidy up stuff gets
left too late and some stuff gets missed out.  The bit in this case was
holding screens for long running requests.

I've written a filter which will take any request and after a defined
period of time send a generic "please wait" page, after the original
request has finished it will then forward the proper response.

To get this to work properly there is an extra benefit, it can in a lot of
cases stop double clickers by ignoring requests that have been defined as
those not supposed to run concurrently for a given session.

My current implemntation is container agnostic which I'm not really happy
with as it means the "please wait" page must be large enough to force a
send of the data though the response stream, however I'm loathe to hack
into the tomcat code to get low enough to fix this unless it is part of
tomcat.  The second problem is detecting multi-part requests and not
allowing the "please wait" page until the multi-part data has been
gathered, currently I just exclude those requests, again a lower level
access would allow this to be fixed properly.

Is this filter or a derivative something that would be of interest?

The basic features that I've implemented are :

please wait page after some defined period with no user coding
Multiple concurrent request per session selectively disabled by URL

I can post the code or distribute however people want if this is something
you are interested in.

In live web-apps I've found this invaluable as users don't get web-apps
and are very impatient, even if the problem is their dodgy old modem or
asking an app to do something it was never designed for.

Before anyone says it I know this is a complete perversion of everything
that is supposed to happen in a web-app, however in the real world users
won't wait 5 seconds for anything unless they are being told it's under
way and I've never got holding screens in all the right places yet.  This
covers them all and where possible reduces the ability of a single user to
submit 100 concurrent requests by hammering a submit button in

Any feed back is most welcome


Peter Mengell

To unsubscribe, e-mail:
For additional commands, e-mail:


This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message