Servlet filter: very simple rate-limiting filter a

2019-02-11 04:14发布

问题:

I'd like to add a very simple filter doing a per-IP rate-limit but still allowing burst, a bit like what the iptables allows to do.

I don't want install the entire kitchen sink: all I need is one Filter class implementing that functionality.

What would be a good data structure / algorithm allowing to do a simple "rate-limiting-but-with-short-bursts allowed"?

For example I'd like to serve an HTTP error code if the user tries to do more than 'x' GET / POST per minute, but I'd still like to enable that same user to "burst" up to 'y' (where y > x) until he hits the burst cap.

Just for comparision, here's how a similar rate-limitation-with-a-burst can be configured using iptables (it's just an example, to show what I'm talking about, even though in my case it's not about putting a rate-limit+burst on TCP SYN packets):

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 5

回答1:

At Java level :

  • Found a rate limiter based on Esper where your build your own query to match your burst requirement.
  • Jetty has a built-in servlet filter
  • A Java library with the built-in blocks to create your own mechanism
  • Camel has a throttle mechanism

But I think it's easier to implement at webserver level

  • Nginx
  • Apache Httpd

Or with a dedicated server add-on

  • IBM WebSphere DataPower


回答2:

you can also look at Guava RateLimiter - it provides a nice starting point for more sophisticated ratelimiters.