Hi, Dave. I took a look into it and I found another place that has very intensive database queries.
RequestMappingFilter.doFilter() --> WeblogRequestMapper.handleRequest(). RequestMapingFilter's URL mapping is /*, so it check every http request. WeblogRequestMapper.handleRequest() verifies ALL requests, I mean, including those css, js and image files with named JPA queries. Actually, both PageServlet and RequestMappingFilter query weblog with handle. It looks like database is used as hashtable in these two functions. While database is usually used for account data transaction, relational data management. Now for each web page request there are at least 'eleven' database queries, one for the text/html content in PageServelt and ten requests in mapping filter for everything including the text/html. I feel that there could be even more database wires. Since many people work on Roller and everyone tends to add some more wires. It seems that there should be a top-down design solution for this issue. Like to hear something from you. David --- On Tue, 5/25/10, Dave <[email protected]> wrote: From: Dave <[email protected]> Subject: Re: Roller's implementation on conditional Get To: [email protected], [email protected] Date: Tuesday, May 25, 2010, 9:14 PM On Tue, May 25, 2010 at 8:59 PM, (David) Ming Xia <[email protected]> wrote: > Thank you very much Dave for your response. > > You are right. Only the text/html content is mapped to URI > /roller-ui/rendering/page and caught by PageServlet and invoked JPA named > query for weblog. All the resource files are mapped to URI > '/roller-ui/rendering/resources'. Roller is very complicated, indeed. > > Now I would like to ask one more question. Now we know, for each query to > a weblog page, there going to be one named JPA query, or a database select > query. What if some one launch an attack on weblog pages on a Roller site? > While registration page and login page can be protected with captcha, weblog > pages have to withstand whatever it is. Now the bottleneck of Roller will be > the database server. Roller should be easily scaled up the by different > means such as clustering. > > What do you think should we do to protect the Roller against an attack > described above? Do you think it should be better if we use cache for > last-modified? Yes, caching last-modified for each weblog could help here -- you could do this via relatively small changes to the PageServlet and I'd recommend FeedServlet too. - Dave
