Guidance on QoSFilter/DoSFilter

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Guidance on QoSFilter/DoSFilter

Jared Wiltshire
Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. Specifically, should they be used together and if so in which order?

I noticed that the DoSFilter has getPriority(HttpServletRequest, RateTracker) method which can be overridden and looks to provide the same functionality as the QoSFilter.

We use Spring Security so I would assume my filter order should be
  1. ForwardedHeaderFilter
  2. Spring security
  3. DoSFilter
  4. QoSFilter
  5. ...
Thanks,
Jared Wiltshire
Infinite Automation

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Guidance on QoSFilter/DoSFilter

Joakim Erdfelt-8
Be careful of ForwardedHeaderFilter.
Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer.
They essentially do the same thing, but the Filter + Wrapping approach isn't 100% compatible with 100% of requests (external and internal).

I would recommend using the ForwardedRequestCustomizer only, as it does the correct changes to your Request before the Request even reaches your ServletContext.
That way it will work on all requests, even internal dispatched ones, request logging, and even on error handling (inside and outside of your ServletContext).

Having both DoSFilter and QoSFilter in the same chain is unusual (but not impossible, nor problematic)

DoSFilter is typically used to control all requests on all url-patterns.
QoSFilter is typically used to control slow behavior on specific url-patterns that are known to take too much time. (like big database queries)

DoSFilter is the sledgehammer, QoSFilter is the scalpel.
If you DoSFilter, there's very little need for QoSFilter. (you are covered)
And if you understand your webapp well enough to use QoSFilter properly, there's not much need for DoSFilter.

As for where Spring Security should sit in the chain...
Most people protect all components that have external access (like a LDAP server) on their webapp when selecting to use DoSFilter or QoSFilter.
If your Spring Security has an external system dependency, then protect it too.

Joakim Erdfelt / [hidden email]


On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire <[hidden email]> wrote:
Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. Specifically, should they be used together and if so in which order?

I noticed that the DoSFilter has getPriority(HttpServletRequest, RateTracker) method which can be overridden and looks to provide the same functionality as the QoSFilter.

We use Spring Security so I would assume my filter order should be
  1. ForwardedHeaderFilter
  2. Spring security
  3. DoSFilter
  4. QoSFilter
  5. ...
Thanks,
Jared Wiltshire
Infinite Automation
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Guidance on QoSFilter/DoSFilter

Jared Wiltshire
Thanks for the tips re. ForwardedRequestCustomizer. I wasn't aware of it.

OK that all makes sense, I think we might go with the sledge hammer
approach for now.

As for the positioning of Spring Security I didn't think I would not
be able to prioritize requests based on user if the QoS/DoS filter sat
in front of it. But after looking into it I should be able to get the
Spring Security context directly from the session before the filter
runs. So yes I think putting the DoS filter first is the best option.

Thanks again Joakim.

On Tue, Oct 15, 2019 at 12:31 PM Joakim Erdfelt <[hidden email]> wrote:

>
> Be careful of ForwardedHeaderFilter.
> Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer.
> They essentially do the same thing, but the Filter + Wrapping approach isn't 100% compatible with 100% of requests (external and internal).
>
> I would recommend using the ForwardedRequestCustomizer only, as it does the correct changes to your Request before the Request even reaches your ServletContext.
> That way it will work on all requests, even internal dispatched ones, request logging, and even on error handling (inside and outside of your ServletContext).
>
> Having both DoSFilter and QoSFilter in the same chain is unusual (but not impossible, nor problematic)
>
> DoSFilter is typically used to control all requests on all url-patterns.
> QoSFilter is typically used to control slow behavior on specific url-patterns that are known to take too much time. (like big database queries)
>
> DoSFilter is the sledgehammer, QoSFilter is the scalpel.
> If you DoSFilter, there's very little need for QoSFilter. (you are covered)
> And if you understand your webapp well enough to use QoSFilter properly, there's not much need for DoSFilter.
>
> As for where Spring Security should sit in the chain...
> Most people protect all components that have external access (like a LDAP server) on their webapp when selecting to use DoSFilter or QoSFilter.
> If your Spring Security has an external system dependency, then protect it too.
>
> Joakim Erdfelt / [hidden email]
>
>
> On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire <[hidden email]> wrote:
>>
>> Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. Specifically, should they be used together and if so in which order?
>>
>> I noticed that the DoSFilter has getPriority(HttpServletRequest, RateTracker) method which can be overridden and looks to provide the same functionality as the QoSFilter.
>>
>> We use Spring Security so I would assume my filter order should be
>>
>> ForwardedHeaderFilter
>> Spring security
>> DoSFilter
>> QoSFilter
>> ...
>>
>> Thanks,
>> Jared Wiltshire
>> Infinite Automation
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users