How to add request timeout or connection timeout in traditional spring mvc application to prevent ''slow http post vulnerability"?

Question

There are following points to make you understand about my application:

1. I have a traditional spring web application running on Wild-fly.
2. In my application I have view controller and other controllers.
3. I have web.xml file and jboss xml file to configure context path.
4. Request to controller comes through either ajax request or simple get request from browser.

I want to keep safe my application from possible 'Slow HTTP Post Vulnerability'. For that I have decided if any request takes more than specified amount of time then my application release that connection and throw request time-out exception.

My question is : How can I implement request time in traditional spring mvc application ?

Note : You are most welcome If you have any other solution to prevent 'slow HTTP post vulnerability'.

Answer 1

You could delegate each controller invocation to a separate thread and then monitor that thread if/until it breaches your timeout condition. Java's ExecutorService already supports something much like this with its awaitTermination() feature.

Using Spring's support for asynchronous controllers (or more generally; implementing non blocking services) would formalise this approach since (a) it would force you to delegate your controller invocations to a separate threadpool and (b) it would encourage you to safely manage the resources available in this threadpool. More details on this approach here and here .

But, however you perform this delegation once you have each controller invocation running in a separate thread (separate from the original invocation, I mean) you will then be able to control how long that thread can run and if it exceeds some configured timeout you can respond with a relevant HTTP status .