org.hd.d.efs.servlet
Class GathererServletFilter

java.lang.Object
  extended by org.hd.d.efs.servlet.GathererServletFilter
All Implemented Interfaces:
javax.servlet.Filter

public class GathererServletFilter
extends java.lang.Object
implements javax.servlet.Filter

This servlet filter gathers clickstream entropy for the EntropyPool. This injects entropy into a named pool via a GathererServlet. (We swerve IllegalArgumentException troubles that may be caused by us trying to inject entropy before the pools have been created.)

This can be used to help generate more secure and better random numbers for use elsewhere in the application.


Constructor Summary
GathererServletFilter()
           
 
Method Summary
 void destroy()
          Take this filter out of service.
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
          Intercepts an incoming HTTP request.
 void init(javax.servlet.FilterConfig filterConfig)
          Place this filter into service.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

GathererServletFilter

public GathererServletFilter()
Method Detail

init

public void init(javax.servlet.FilterConfig filterConfig)
Place this filter into service.

Specified by:
init in interface javax.servlet.Filter

destroy

public void destroy()
Take this filter out of service.

Specified by:
destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
Intercepts an incoming HTTP request. We sample user parameters after the request has completed (in the hope of not adding noticeably to latency) and hash them down to a smallish number of bytes that we then put into the entropy pool.

We add items like a counter into the generated hash to make a chosen injected chosen plain-text attack on our EntropyPool harder, and we claim entropy mainly from the presumed timing jitter on incoming requests, though we may claim more entropy on the request content when the current request appears to come from a radically different visitor than the last (judged by IP address). (We judge inter-user visits are more likely to be independent in timing and content than successive visits by the same or closely-related users, though concerted action can defeat this simple filter.)

Specified by:
doFilter in interface javax.servlet.Filter
Throws:
java.io.IOException
javax.servlet.ServletException