HttpClient超时机制(安全问题处理:访问超大文件控制)
背景
最近一直在做项目,其中的一个功能点,主要是访问外部网站并获取页面的字符串,具体的网站url完全是由用户输入,所以存在一定的安全隐患。从测试来看,如果给定的一部电影的url地址,链接会一直不能被关闭,直到数据流被读完,如果来个几十次这样的请求,应用估计也差不多崩溃了
说明: 项目中使用的HttpClient版本是3.1
测试
一般的HttpClient使用例子:
MultiThreadedHttpConnectionManager manager = new MultiThreadedHttpConnectionManager();
HttpClient client = new HttpClient(manager);
client.setConnectionTimeout(30000);
client.setTimeout(30000);GetMethod get = new GetMethod("http://download.jboss.org/jbossas/7.0/jboss-7.0.0.Alpha1/jboss-7.0.0.Alpha1.zip");
try {
client.executeMethod(get); //发起请求
String result = get.getResponseBodyAsString(); //获取数据
} catch (Exception e) {
} finally {
get.releaseConnection(); //释放链接
}这里我给出的一个url是近20MB的一个下载资源,很快发现线程要等个很久。 咋办,得加个timeout超时机制。
"main" prio=10 tid=0x0899e800 nid=0x4010 runnable [0xb7618000..0xb761a1c8]
java.lang.Thread.State: RUNNABLE
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
- locked <0xb23a4c30> (a java.io.BufferedInputStream)
at org.apache.commons.httpclient.ContentLengthInputStream.read(ContentLengthInputStream.java:156)
at org.apache.commons.httpclient.ContentLengthInputStream.read(ContentLengthInputStream.java:170)
at org.apache.commons.httpclient.ChunkedInputStream.exhaustInputStream(ChunkedInputStream.java:338)
at org.apache.commons.httpclient.ContentLengthInputStream.close(ContentLengthInputStream.java:104)
at java.io.FilterInputStream.close(FilterInputStream.java:155)
at org.apache.commons.httpclient.AutoCloseInputStream.notifyWatcher(AutoCloseInputStream.java:179)
at org.apache.commons.httpclient.AutoCloseInputStream.close(AutoCloseInputStream.java:143)
at org.apache.commons.httpclient.HttpMethodBase.releaseConnection(HttpMethodBase.java:1341)
分析
目前httpClient3.1只支持3种timeout的设置:
connectionTimeout : socket建立链接的超时时间,Httpclient包中通过一个异步线程去创建socket链接,对应的超时控制。
timeoutInMilliseconds : socket read数据的超时时间, socket.setSoTimeout(timeout);
httpConnectionTimeout : 如果那个的是MultiThreadedHttpConnectionManager,对应的是从连接池获取链接的超时时间。
分析一下问题,我们需要的是一个HttpClient整个链接读取的一个超时时间,包括请求发起,Http Head解析,response流读取的一系列时间的总和。
目标很明确,对应的修正后的测试代码:
final MultiThreadedHttpConnectionManager manager = new MultiThreadedHttpConnectionManager();
final HttpClient client = new HttpClient(manager);
client.setConnectionTimeout(30000);
client.setTimeout(30000);
final GetMethod get = new GetMethod(
"http://download.jboss.org/jbossas/7.0/jboss-7.0.0.Alpha1/jboss-7.0.0.Alpha1.zip");Thread t = new Thread(new Runnable() {
@Override
public void run() {
try {
client.executeMethod(get);
String result = get.getResponseBodyAsString();
} catch (Exception e) {
// ignore
}
}
}, "Timeout guard");
t.setDaemon(true);
t.start();
try {
t.join(5000l); //等待5s后结束
} catch (InterruptedException e) {
System.out.println("out finally start");
((MultiThreadedHttpConnectionManager) client.getHttpConnectionManager()).shutdown();
System.out.println("out finally end");
}
if (t.isAlive()) {
System.out.println("out finally start");
((MultiThreadedHttpConnectionManager) client.getHttpConnectionManager()).shutdown();
System.out.println("out finally end");
t.interrupt();
// throw new TimeoutException();
}
System.out.println("done");
这里通过Thread.join方法,设置了超时时间为5000 ms,这是比较早的用法。 如果熟悉cocurrent包的,可以直接使用Future和ThreadPoolExecutor进行异步处理,缓存对应的Thread。
ExecutorService service = Executors.newCachedThreadPool();
Future future = service.submit(new Callable<String>() {@Override
public String call() throws Exception {try {
&
补充:综合编程 , 安全编程 ,
