In a java servlet, how can I throttle http requests coming from users based on the client's IP address? I do not want to serve more than X requests per second coming from a particular source IP address where X is configurable and having practical values in [0.1; 10] range (from 1 request in 10 sec to 10 requests per sec).

The owasp-esapi-java project, hosted at code.google.com, has an implementation of a throttle filter that you can use "as is" or use as inspiration for your own.

You can check the code at the following link:

http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java

Use a servlet filter: if you're on Jetty 7.0 or higher there is this

I would write a Filter for that task.

As @EJP said, using a Filter with a HashMap that stores the last access time by IP address key. 10 requests a second would translate to 100ms between calls, minimum. Sending a server busy error code back and killing the request will quickly close the resources used by the connection. There are prebuilt solutions for Apache if that's an option for you.

Check if the container you are using provides this kind of Denial Of Service. If no, then you would have to go with a filter.

ServletRequest.getRemoteHost() gives you access to the client IP.