Comments (7)
sbordet
commented on June 1, 2024
2
Does jetty 12 support any way of user-id based rate-limiting? Or jetty users have to roll their own implementation of this.
Jetty 12 will not support user-id based rate limiting, because it is very often too application specific, and may put the server under pressure.
I recommend that you carefully review your current usage, and make sure that any user-id you are using is a valid one (for example, after authentication).
from jetty.project.
msn-tldr
commented on June 1, 2024
1
+1 as this broke our dependency on DosFilter that used extractUserId.
- What is the way forward?
- How can such breaking changes be avoided in future?
from jetty.project.
joakime
commented on June 1, 2024
1
Is there a way to make it work, i.e keeping the behaviour of
extractUserIdwhile achieving the goal of the commit?
No, as user/auth based tracking breaks the fundamental contract of Rate Tracking that is used at the server level (to accomplish DosFilter based filtering on userId, it needed to remove arbitrary server level Rate Tracking to do it. Which breaks server level Rate Tracking).
There is also the fact that session, auth, and user_id based entries are also exposed across different requests breaking the Servlet request contract.
And the session and auth entries accumulate improperly and are not cleaned up in a timely manner.
Note that this was removed from all versions of Jetty, from 9.4.x thru to 12.0.x
from jetty.project.
joakime
commented on June 1, 2024
Jetty 9.x is now at End of Community Support.
The change in DosFilter was done as Session (and auth/user id) tracking is no longer supported.
The extractUserId in turn is no longer called.
The way forward is to not use an unsupported version of Jetty, you should be using Jetty 12 at this point in time (even if you are using javax.servlet.* classes, you can use the ee8 environment on Jetty 12)
from jetty.project.
msn-tldr
commented on June 1, 2024
@joakime thanks for looking into this!
The way forward is to not use an unsupported version of Jetty, you should be using Jetty 12 at this point in time (even if you are using javax.servlet.* classes, you can use the ee8 environment on Jetty 12)
Does jetty 12 support any way of user-id based rate-limiting? Or jetty users have to roll their own implementation of this.
from jetty.project.
trnguyencflt
commented on June 1, 2024
thanks all for the explanation 👍
from jetty.project.
msn-tldr
commented on June 1, 2024
from jetty.project.
Related Issues (20)
- Broken HTTP/3 tests
- PUT request over plain text connection with chunk encoded body fails when upgrading to HTTP/2 HOT 1
- Get :authority field when using Websockets over http/2 with the jakarta websocket-api HOT 4
- Jetty Releases 12.0.8 HOT 3
- Why is HttpResponse.getReason() always null? HOT 2
- UTF-8 NFC/NFD tests fail on Macos HOT 3
- Client sending RST_STREAM led to exceeding maxEventsPerSecond(128) threshold HOT 4
- Sharing threads between HttpClient instances HOT 1
- Document Request Customizers
- IllegalStateException in IteratingCallback.iterate during async request when client has died HOT 2
- Connections maxing out for requests HOT 8
- java.lang.NullPointerException: Cannot invoke "org.eclipse.jetty.io.ArrayByteBufferPool$Buffer.acquire()" because "buffer" is null HOT 1
- WebSocket sendBlocking timeout = -1 Does that make sense? HOT 3
- Jetty 12.0.6 upgrade issue: org.eclipse.jetty.client request.header("KEY", "VALUE") not available HOT 5
- Jetty Releases 9.4.x, 10.0.y, 11.0.y
- Reopening #11431: NPE in error handling leading to 100% CPU also in 12.0.7 HOT 1
- Jetty temp directory used while resolving spring config HOT 2
- Jetty12.0.8 cannot run my war successfully, but jetty-9.4.48.v20220622 can. HOT 1
- Socks5Proxy does not support IP addresses with IP segments above 127 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jetty.project.