-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking change in class DosFilter from 9.4.53 to 9.4.54 #11618
Comments
+1 as this broke our dependency on DosFilter that used
|
Jetty 9.x is now at End of Community Support.
The change in DosFilter was done as Session (and auth/user id) tracking is no longer supported. The way forward is to not use an unsupported version of Jetty, you should be using Jetty 12 at this point in time (even if you are using |
No, as user/auth based tracking breaks the fundamental contract of Rate Tracking that is used at the server level (to accomplish DosFilter based filtering on userId, it needed to remove arbitrary server level Rate Tracking to do it. Which breaks server level Rate Tracking). Note that this was removed from all versions of Jetty, from 9.4.x thru to 12.0.x |
@joakime thanks for looking into this!
Does jetty 12 support any way of user-id based rate-limiting? Or jetty users have to roll their own implementation of this. |
Jetty 12 will not support user-id based rate limiting, because it is very often too application specific, and may put the server under pressure. I recommend that you carefully review your current usage, and make sure that any user-id you are using is a valid one (for example, after authentication). |
thanks all for the explanation 👍 |
Closing this issue as it appears to have been answered. |
Jetty Version
9.4.54
Jetty Environment
N/A
Java Version
8+
Question
The commit that made into 9.4.54 contains a breaking change to
DosFilter
class because this functionextractUserId(ServletRequest request)
is now completely ignored in the class. This is breaking the behaviour of any subclass of this class that implementsextractUserId
. In addition, marking it as@Deprecated
IMO isn't right because deprecated means it is still working while offering projects that depend on this to work on new alternative.Is there a way to make it work, i.e keeping the behaviour of
extractUserId
while achieving the goal of the commit?Many thanks,
Truc
The text was updated successfully, but these errors were encountered: