Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Guidance on QoSFilter/DoSFilter 
Thanks for the tips re. ForwardedRequestCustomizer. I wasn't aware of it.

OK that all makes sense, I think we might go with the sledge hammer
approach for now.

As for the positioning of Spring Security I didn't think I would not
be able to prioritize requests based on user if the QoS/DoS filter sat
in front of it. But after looking into it I should be able to get the
Spring Security context directly from the session before the filter
runs. So yes I think putting the DoS filter first is the best option.

Thanks again Joakim.

On Tue, Oct 15, 2019 at 12:31 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
>
> Be careful of ForwardedHeaderFilter.
> Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer.
> They essentially do the same thing, but the Filter + Wrapping approach isn't 100% compatible with 100% of requests (external and internal).
>
> I would recommend using the ForwardedRequestCustomizer only, as it does the correct changes to your Request before the Request even reaches your ServletContext.
> That way it will work on all requests, even internal dispatched ones, request logging, and even on error handling (inside and outside of your ServletContext).
>
> Having both DoSFilter and QoSFilter in the same chain is unusual (but not impossible, nor problematic)
>
> DoSFilter is typically used to control all requests on all url-patterns.
> QoSFilter is typically used to control slow behavior on specific url-patterns that are known to take too much time. (like big database queries)
>
> DoSFilter is the sledgehammer, QoSFilter is the scalpel.
> If you DoSFilter, there's very little need for QoSFilter. (you are covered)
> And if you understand your webapp well enough to use QoSFilter properly, there's not much need for DoSFilter.
>
> As for where Spring Security should sit in the chain...
> Most people protect all components that have external access (like a LDAP server) on their webapp when selecting to use DoSFilter or QoSFilter.
> If your Spring Security has an external system dependency, then protect it too.
>
> Joakim Erdfelt / joakim@xxxxxxxxxxx
>
>
> On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire <jared@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. Specifically, should they be used together and if so in which order?
>>
>> I noticed that the DoSFilter has getPriority(HttpServletRequest, RateTracker) method which can be overridden and looks to provide the same functionality as the QoSFilter.
>>
>> We use Spring Security so I would assume my filter order should be
>>
>> ForwardedHeaderFilter
>> Spring security
>> DoSFilter
>> QoSFilter
>> ...
>>
>> Thanks,
>> Jared Wiltshire
>> Infinite Automation
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top