org.apache.catalina.filters

Class RateLimitFilter

java.lang.Object

javax.servlet.GenericFilter

org.apache.catalina.filters.RateLimitFilter

All Implemented Interfaces:

java.io.Serializable, Filter, FilterConfig

public class RateLimitFilter
extends GenericFilter

Servlet filter that can help mitigate Denial of Service (DoS) and Brute Force attacks by limiting the number of a requests that are allowed from a single IP address within a time window (also referred to as a time bucket), e.g. 300 Requests per 60 seconds.

The filter works by incrementing a counter in a time bucket for each IP address, and if the counter exceeds the allowed limit then further requests from that IP are dropped with a "429 Too many requests" response until the bucket time ends and a new bucket starts.

The filter is optimized for efficiency and low overhead, so it converts some configured values to more efficient values. For example, a configuration of a 60 seconds time bucket is converted to 65.536 seconds. That allows for very fast bucket calculation using bit shift arithmetic. In order to remain true to the user intent, the configured number of requests is then multiplied by the same ratio, so a configuration of 100 Requests per 60 seconds, has the real values of 109 Requests per 65 seconds.

It is common to set up different restrictions for different URIs. For example, a login page or authentication script is typically expected to get far less requests than the rest of the application, so you can add a filter definition that would allow only 5 requests per 15 seconds and map those URIs to it.

You can set enforce to false to disable the termination of requests that exceed the allowed limit. Then your application code can inspect the Request Attribute org.apache.catalina.filters.RateLimitFilter.Count and decide how to handle the request based on other information that it has, e.g. allow more requests to certain users based on roles, etc.

WARNING: if Tomcat is behind a reverse proxy then you must make sure that the Rate Limit Filter sees the client IP address, so if for example you are using the Remote IP Filter, then the filter mapping for the Rate Limit Filter must come after the mapping of the Remote IP Filter to ensure that each request has its IP address resolved before the Rate Limit Filter is applied. Failure to do so will count requests from different IPs in the same bucket and will result in a self inflicted DoS attack.

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_BUCKET_DURATION default duration in seconds
static int	DEFAULT_BUCKET_REQUESTS default number of requests per duration
static boolean	DEFAULT_ENFORCE default value for enforce
static int	DEFAULT_STATUS_CODE default status code to return if requests per duration exceeded
static java.lang.String	DEFAULT_STATUS_MESSAGE default status message to return if requests per duration exceeded
static java.lang.String	PARAM_BUCKET_DURATION init-param to set the bucket duration in seconds
static java.lang.String	PARAM_BUCKET_REQUESTS init-param to set the bucket number of requests
static java.lang.String	PARAM_ENFORCE init-param to set the enforce flag
static java.lang.String	PARAM_STATUS_CODE init-param to set a custom status code if requests per duration exceeded
static java.lang.String	PARAM_STATUS_MESSAGE init-param to set a custom status message if requests per duration exceeded
static java.lang.String	RATE_LIMIT_ATTRIBUTE_COUNT request attribute that will contain the number of requests per duration

Constructor Summary

Constructors

Constructor and Description
RateLimitFilter()

Method Summary

Modifier and Type	Method and Description
void	destroy() Called by the web container to indicate to a filter that it is being taken out of service.
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain) The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
int	getActualDurationInSeconds()
int	getActualRequests()
void	init() Convenience method for sub-classes to save them having to call super.init(config).

Methods inherited from class javax.servlet.GenericFilter

getFilterConfig, getFilterName, getInitParameter, getInitParameterNames, getServletContext, init

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_BUCKET_DURATION

public static final int DEFAULT_BUCKET_DURATION

default duration in seconds

See Also:

Constant Field Values

DEFAULT_BUCKET_REQUESTS

public static final int DEFAULT_BUCKET_REQUESTS

default number of requests per duration

See Also:

Constant Field Values

DEFAULT_ENFORCE

public static final boolean DEFAULT_ENFORCE

default value for enforce

See Also:

Constant Field Values

DEFAULT_STATUS_CODE

public static final int DEFAULT_STATUS_CODE

default status code to return if requests per duration exceeded

See Also:

Constant Field Values

DEFAULT_STATUS_MESSAGE

public static final java.lang.String DEFAULT_STATUS_MESSAGE

default status message to return if requests per duration exceeded

See Also:

Constant Field Values

RATE_LIMIT_ATTRIBUTE_COUNT

public static final java.lang.String RATE_LIMIT_ATTRIBUTE_COUNT

request attribute that will contain the number of requests per duration

See Also:

Constant Field Values

PARAM_BUCKET_DURATION

public static final java.lang.String PARAM_BUCKET_DURATION

init-param to set the bucket duration in seconds

See Also:

Constant Field Values

PARAM_BUCKET_REQUESTS

public static final java.lang.String PARAM_BUCKET_REQUESTS

init-param to set the bucket number of requests

See Also:

Constant Field Values

PARAM_ENFORCE

public static final java.lang.String PARAM_ENFORCE

init-param to set the enforce flag

See Also:

Constant Field Values

PARAM_STATUS_CODE

public static final java.lang.String PARAM_STATUS_CODE

init-param to set a custom status code if requests per duration exceeded

See Also:

Constant Field Values

PARAM_STATUS_MESSAGE

public static final java.lang.String PARAM_STATUS_MESSAGE

init-param to set a custom status message if requests per duration exceeded

See Also:

Constant Field Values

Constructor Detail

RateLimitFilter

public RateLimitFilter()

Method Detail

getActualRequests

public int getActualRequests()

Returns:

the actual maximum allowed requests per time bucket

getActualDurationInSeconds

public int getActualDurationInSeconds()

Returns:

the actual duration of a time bucket in milliseconds

init

public void init()
          throws ServletException

Description copied from class: javax.servlet.GenericFilter

Convenience method for sub-classes to save them having to call super.init(config). This is a NO-OP by default.

Overrides:

init in class GenericFilter

Throws:

ServletException - If an exception occurs that interrupts the Filter's normal operation

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws java.io.IOException,
                     ServletException

Description copied from interface: javax.servlet.Filter

The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.

Parameters:

request - The request to process

response - The response associated with the request

chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing

Throws:

java.io.IOException - if an I/O error occurs during this filter's processing of the request

ServletException - if the processing fails for any other reason

destroy

public void destroy()

Description copied from interface: javax.servlet.Filter

Called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the doFilter method again on this instance of the filter.

This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make sure that any persistent state is synchronized with the filter's current state in memory. The default implementation is a NO-OP.