1

I am exploring to put rate limiting functionality on rest API which are developed using spring boot.

After going through many articles, I came to know that the best way to put rate limiting functionality is with application code, rather then putting it on web servers.

My question is how do you decide that which functionality should go where. Since, its monitoring your incoming calls and nothing to do with business logic, the ideal place should be a web server.

Onki
  • 1,879
  • 6
  • 38
  • 58

3 Answers3

1

My question is how do you decide that which functionality should go where. Since, its monitoring your incoming calls and nothing to do with business logic, the ideal place should be a web server.

Technically the web server could do the job but in the facts, a web server doesn't have necessarily all needed information, it is not specialized for API consuming and it may also make the testability of this feature much harder.

Some practical reasons why the webserver side could be a bad choice :

  • the developers don't have necessarily the configuration of the HTTP web server in local.
  • you want to write unit and integration test to check that the rate limitations are applied as specified. Creating a configuration for automated testing is much simpler in the scope of your Java application than with a configuration file defined on a web server.
  • web servers reasons in terms of HTTP request-response, not in terms of service. Rate limitations may be applied according to the IP but not only, the username, the user roles, the type of service may influence the limitations. Not sure that you could get all of these easily from an HTTP server.
    For example roles are stored on the server side or in a database.

A better option is setting these mechanisms by adding specific and specialized classes or configuration files, which simplifies their reading, their maintenance and their testability.
As you mention Spring Boot in your tags, that and that should interest you.

davidxxx
  • 125,838
  • 23
  • 214
  • 215
  • I got your points but the answers you added cannot be used by me. Spring boot starter project is 3rd party library. And other article is pointed towards spring cloud. Right now I am exploring the options of implementing the basic api based rate limiting using spring embedded web servers. Not sure, if its is possible but I can see spring boot has jetty embedded web server and jetty has rate limiting option. – Onki Aug 05 '19 at 15:56
  • With Jetty ? Interesting ! Maybe I am wrong but I am afraid that you have some limitations if you need to implement specific rules such as by clients/roles and so for. About spring-cloud, despite the name, you can use it with Spring Boot even if your application is not the cloud : https://spring.io/projects/spring-cloud – davidxxx Aug 05 '19 at 16:43
  • Spring Cloud provides tools for developers to quickly build some of the common patterns in distributed systems (e.g. configuration management, service discovery, circuit breakers, intelligent routing, micro-proxy, control bus, one-time tokens, global locks, leadership election, distributed sessions, cluster state). – davidxxx Aug 05 '19 at 16:43
  • is it right thing to use spring cloud with spring boot just for rate limiting purpose. I am quite new to spring. – Onki Aug 06 '19 at 04:27
  • You could just use the spring-cloud-gateway library : https://spring.io/projects/spring-cloud-gateway – davidxxx Aug 06 '19 at 09:32
  • it seems spring cloud gateway needs redis instance to use rate limting feature which is again overhead for a simple application – Onki Aug 06 '19 at 14:59
  • 1
    If you want to limit and rationalize the clients consumption, I would not say that the constraints on your application are simple while your application may be. About Redis, I suppose that current consumptions should not be stored in the application/server state as these should be stateless to allow them to be CNA, so I suppose that using Redis is an excellent way to do that : fast, lightweight and distributed. Good luck and don't hesitate to give a feedback whatever you try. – davidxxx Aug 06 '19 at 16:57
  • thanks davidxxx, will definately update the thread with whatever I am exploring. Right now, I am trying jetty's DOSFilter which is used for rate limiting purpose. As of now its not working, so spending time to debug that. Its come as spring boot embedded server. So lets see how it goes – Onki Aug 07 '19 at 03:59
  • we are going ahead with jetty's DOSFilter. it gives basic rate limiting functionality. It has certain limitations too as it does not work before authentication. SInce its a filter, it is called after spring secuirty filter chain and hence passes the authentication layer, – Onki Aug 18 '19 at 14:39
0

I recommend spring-cloud-gateway's rate limiter

WonChul Heo
  • 242
  • 1
  • 12
  • 2
    Can you add a bit more explanation from your end, I mean how your link would solve "which functionality should go where" ? – Rex5 Aug 05 '19 at 03:34
  • 1
    and it does not answer my question. Question is why to add rate limiting on app end and not on what can be used to implement this. – Onki Aug 05 '19 at 04:17
-1

you could separate this functionality from your business logic by using Filters.

https://www.baeldung.com/spring-boot-add-filter

Flip
  • 31
  • 11