Thanks for the tips re. ForwardedRequestCustomizer. I wasn't aware of it.
OK that all makes sense, I think we might go with the sledge hammer
approach for now.
As for the positioning of Spring Security I didn't think I would not
be able to prioritize requests based on user if the QoS/DoS filter sat
in front of it. But after looking into it I should be able to get the
Spring Security context directly from the session before the filter
runs. So yes I think putting the DoS filter first is the best option.
Thanks again Joakim.
On Tue, Oct 15, 2019 at 12:31 PM Joakim Erdfelt <[hidden email]> wrote:
> Be careful of ForwardedHeaderFilter.
> Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer.
> They essentially do the same thing, but the Filter + Wrapping approach isn't 100% compatible with 100% of requests (external and internal).
> I would recommend using the ForwardedRequestCustomizer only, as it does the correct changes to your Request before the Request even reaches your ServletContext.
> That way it will work on all requests, even internal dispatched ones, request logging, and even on error handling (inside and outside of your ServletContext).
> Having both DoSFilter and QoSFilter in the same chain is unusual (but not impossible, nor problematic)
> DoSFilter is typically used to control all requests on all url-patterns.
> QoSFilter is typically used to control slow behavior on specific url-patterns that are known to take too much time. (like big database queries)
> DoSFilter is the sledgehammer, QoSFilter is the scalpel.
> If you DoSFilter, there's very little need for QoSFilter. (you are covered)
> And if you understand your webapp well enough to use QoSFilter properly, there's not much need for DoSFilter.
> As for where Spring Security should sit in the chain...
> Most people protect all components that have external access (like a LDAP server) on their webapp when selecting to use DoSFilter or QoSFilter.
> If your Spring Security has an external system dependency, then protect it too.
> Joakim Erdfelt / [hidden email] >
> On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire <[hidden email]> wrote:
>> Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. Specifically, should they be used together and if so in which order?
>> I noticed that the DoSFilter has getPriority(HttpServletRequest, RateTracker) method which can be overridden and looks to provide the same functionality as the QoSFilter.
>> We use Spring Security so I would assume my filter order should be
>> Spring security
>> Jared Wiltshire
>> Infinite Automation
>> jetty-users mailing list
>> [hidden email] >> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users >
> jetty-users mailing list
> [hidden email] > To change your delivery options, retrieve your password, or unsubscribe from this list, visit