Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to avoid REST API abuse ? (limit the number of call to an URL per seconds)  RSS feed

 
John Boby
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I'm currently building a REST Api in Java with Spring. I'm using Spring Security to handle authentication (once authentified , a JSESSION ID token is put in the cookie that the user need for each api request)

I'm now worried about people that would try to take down the server by let's say putting in am infinite loop the call to "GET /my/rest/search/poi/"

What would be a good practice to protect the server against this ?

Is this something that need to be configured in Tomcat?

Or is it something that needs to be done in java ? (before evry request check if that JSESSIONID didn't ake too many call in 1 second ?)

Thank you!
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assuming that you're using JAX-RS, it has a listener concept (I forget the interface name) that allows you to have code of yours being called for every request. I've used this to keep track of (and block, if a limit has been reached) requests from particular IP addresses. That is probably more relevant than requests to particular URLs, but you could use any random criteria to control access.
 
James Boswell
Bartender
Posts: 1051
5
Chrome Eclipse IDE Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
John

You may want to take a look at javax.servlet.Filter which will allow you to intercept requests to your application.

https://docs.oracle.com/cd/B14099_19/web.1012/b14017/filters.htm#i1000648

Other solutions will be available but these will be dependant on the JAX-RS implementation you are using.
 
John Boby
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you both for your replies. I'm currently not using JAX-RS (i'am using spring MVC)

I will have a look at servlet filter. If I understand correctly I would use these filter to intercept any incoming cal to any of my api and check in a table or anything that this user hasn't beed doing to many calls?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not familiar with Spring MVC, but I'm sure it has something conceptually similar to servlet filters or JAX-RS filters. http://viralpatel.net/blogs/spring-mvc-interceptor-example/ looks like it. It seems you would override the preHandle method, and return false from it if the request should not be serviced due to exceeding some limit. You should also set an appropriate response code, maybe SC_FORBIDDEN or SC_SERVICE_UNAVAILABLE.

If the users are authenticated, then keeping track of the number of calls per user is perhaps the best approach. There could be different levels, like a max of N calls per hour, and M calls per 24 hours. I think a HashMap in memory may be better than storing this information in a DB, so you save the network trip to the DB. I wouldn't think that this kind of information needs to be persisted - unless you want to keep track of API usage over time on a per user basis, which would likely be useful information.

For unauthenticated access, I've taken to cut-off limits per IP address.
 
John Boby
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the reply. it helped. I will have a look at these interceptor and store the result in a cache rather that the DB it make more sense for now.

thank you!
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!