"Tarpitting" gets its name from e-mail anti-spamming techniques used to slow down the rate at which repetitive access requests for e-mail services are honored by mail servers. The tarpitting concept may be applied to OFBiz web pages when you need to limit the number of times a request for a web page is honored, and thus slow down the rate at which OFBiz responds to certain HTTP/HTTPS requests.
Make sure the controller.xml file containing your protected view has the following Java class configured in the preprocessor section:
<preprocessor> <event name="checkProtectedView" type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/> </preprocessor>
To control the rate at which certain OFBiz web pages are honored, use the security group's protected view option as shown here:
- Log in to the Party Manager application.
- Select the Security tab to bring up the SecurityGroups List.
- Select the desired security group for the protected web page from the list provided to bring up the Edit Security Group with ID web page.
- Select the Protected Views tab.
- For the requested View Name, enter in the view name as configured within the
controller.xmlview-map entry. For example, if you have a view-map similar to the following:<view-map name="MyProtectedScreen" type="screen" page="some page location" />
- The name to enter is
MyProtectedScreen. - Enter in other field values as desired. (Note: the "tarpitting" value is the value entered for the field labeled
Duration. This is the length of time during which the web page view will not be available). - Submit the Form by hitting the Add button. Web page view monitoring and protection is immediate and does not require an OFBiz restart.
The OFBiz controller servlet is the initial point of contact for all HTTP/HTTPS requests. This servlet, modeled after the Model-View-Control (MVC) design pattern, is responsible for handling all aspects of HTTP/HTTPS request processing, including selecting web page views for the requestor and delegating business processing to other OFBiz servlets, Services, and Events.
Adding the ProtectViewWorker.java program to a controller's configuration (via the controller.xml file) tells the controller to pay special attention to certain view requests and, based on the configuration parameters set within the Party Manager application, handle those requests appropriately.
By default, a blank web page is presented when a protected view is blocked. You may change this behavior by editing the ~framework/security/config/security.properties file and modify the following line: default.error.response.view=view:viewBlocked to match a request-map entry as shown here:
<request-map uri="viewBlocked"> <response name="success" type="view" value="viewBlocked" /> </request-map> <view-map name="viewBlocked" type="screen" page="component://common/widget/CommonScreens.xml#viewBlocked"/>