Thanks for the tips re. ForwardedRequestCustomizer. I wasn't aware of it. OK that all makes sense, I think we might go with the sledge hammer approach for now.
As for the positioning of Spring Security I didn't think I would not be able to prioritize requests based on user if the QoS/DoS filter sat in front of it. But after looking into it I should be able to get the Spring Security context directly from the session before the filter runs. So yes I think putting the DoS filter first is the best option. Thanks again Joakim. On Tue, Oct 15, 2019 at 12:31 PM Joakim Erdfelt <[email protected]> wrote: > > Be careful of ForwardedHeaderFilter. > Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer. > They essentially do the same thing, but the Filter + Wrapping approach isn't > 100% compatible with 100% of requests (external and internal). > > I would recommend using the ForwardedRequestCustomizer only, as it does the > correct changes to your Request before the Request even reaches your > ServletContext. > That way it will work on all requests, even internal dispatched ones, request > logging, and even on error handling (inside and outside of your > ServletContext). > > Having both DoSFilter and QoSFilter in the same chain is unusual (but not > impossible, nor problematic) > > DoSFilter is typically used to control all requests on all url-patterns. > QoSFilter is typically used to control slow behavior on specific url-patterns > that are known to take too much time. (like big database queries) > > DoSFilter is the sledgehammer, QoSFilter is the scalpel. > If you DoSFilter, there's very little need for QoSFilter. (you are covered) > And if you understand your webapp well enough to use QoSFilter properly, > there's not much need for DoSFilter. > > As for where Spring Security should sit in the chain... > Most people protect all components that have external access (like a LDAP > server) on their webapp when selecting to use DoSFilter or QoSFilter. > If your Spring Security has an external system dependency, then protect it > too. > > Joakim Erdfelt / [email protected] > > > On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire > <[email protected]> wrote: >> >> Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. >> Specifically, should they be used together and if so in which order? >> >> I noticed that the DoSFilter has getPriority(HttpServletRequest, >> RateTracker) method which can be overridden and looks to provide the same >> functionality as the QoSFilter. >> >> We use Spring Security so I would assume my filter order should be >> >> ForwardedHeaderFilter >> Spring security >> DoSFilter >> QoSFilter >> ... >> >> Thanks, >> Jared Wiltshire >> Infinite Automation >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe from >> this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
