CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-eclipse-jetty-ee10--jetty-ee10-servlets

Collection of utility servlets and filters for Jakarta EE 10 web applications including CORS, DoS protection, QoS management, header manipulation, and server-sent events.

Pending
Overview
Eval results
Files

dos-protection.mddocs/

DoS Protection and Rate Limiting

Comprehensive denial of service protection with rate limiting, request throttling, IP whitelisting, and extensive management capabilities. The DoS filters provide configurable protection against request flooding attacks and resource abuse.

Capabilities

DoSFilter

Primary DoS protection filter with rate limiting, throttling, and management features.

/**
 * Denial of Service filter for limiting exposure to request flooding attacks.
 * Tracks requests per connection per second and applies rate limiting actions.
 */
public class DoSFilter implements Filter {
    // Filter lifecycle methods
    public void init(FilterConfig filterConfig) throws ServletException;
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) 
        throws IOException, ServletException;
    public void destroy();
    
    // Configuration properties
    public void setMaxRequestsPerSec(int value);
    public int getMaxRequestsPerSec();
    public void setDelayMs(long value);
    public long getDelayMs();
    public void setMaxWaitMs(long value);
    public long getMaxWaitMs();
    public void setThrottledRequests(int value);
    public int getThrottledRequests();
    public void setThrottleMs(long value);
    public long getThrottleMs();
    public void setMaxRequestMs(long value);
    public long getMaxRequestMs();
    public void setMaxIdleTrackerMs(long value);
    public long getMaxIdleTrackerMs();
    public void setInsertHeaders(boolean value);
    public boolean isInsertHeaders();
    public void setRemotePort(boolean value);
    public boolean isRemotePort();
    public void setEnabled(boolean enabled);
    public boolean isEnabled();
    
    // Whitelist management
    public void setWhitelist(String commaSeparatedList);
    public String getWhitelist();
    public void clearWhitelist();
    public boolean addWhitelistAddress(String address);
    public boolean removeWhitelistAddress(String address);
    
    // Management operations
    public void setTooManyCode(int tooManyCode);
    public int getTooManyCode();
    public void setName(String name);
    public String getName();
    public void setListener(DoSFilter.Listener listener);
    public DoSFilter.Listener getListener();
    public void removeFromRateTracker(String id);
}

Configuration Parameters:

  • maxRequestsPerSec: Maximum requests per connection per second (default: 25)
  • delayMs: Delay in milliseconds for over-limit requests (default: 100, -1 to reject immediately)
  • throttledRequests: Number of requests that can be throttled simultaneously (default: 5)
  • maxWaitMs: Maximum wait time for throttle semaphore in milliseconds (default: 50)
  • throttleMs: Asynchronous wait time for semaphore in milliseconds (default: 30000)
  • maxRequestMs: Maximum request processing time in milliseconds (default: 30000)
  • maxIdleTrackerMs: Time to track connection rates before cleanup in milliseconds (default: 30000)
  • insertHeaders: Whether to insert DoS-related headers in responses (default: true)
  • remotePort: Whether to include remote port in tracking (default: false)
  • ipWhitelist: Comma-separated list of whitelisted IP addresses or CIDR blocks
  • managedAttr: Whether to register filter as ServletContext managed attribute (default: false)
  • tooManyCode: HTTP status code for rate limit exceeded responses (default: 429)

Usage Examples:

// Web.xml configuration
/*
<filter>
    <filter-name>DoSFilter</filter-name>
    <filter-class>org.eclipse.jetty.ee10.servlets.DoSFilter</filter-class>
    <init-param>
        <param-name>maxRequestsPerSec</param-name>
        <param-value>10</param-value>
    </init-param>
    <init-param>
        <param-name>delayMs</param-name>
        <param-value>1000</param-value>
    </init-param>
    <init-param>
        <param-name>throttledRequests</param-name>
        <param-value>3</param-value>
    </init-param>
    <init-param>
        <param-name>ipWhitelist</param-name>
        <param-value>127.0.0.1,192.168.1.0/24</param-value>
    </init-param>
</filter>
*/

// Programmatic configuration
DoSFilter dosFilter = new DoSFilter();
dosFilter.setMaxRequestsPerSec(10);
dosFilter.setDelayMs(1000);
dosFilter.setThrottledRequests(3);
dosFilter.setWhitelist("127.0.0.1,192.168.1.0/24");
dosFilter.setTooManyCode(429);

// Custom listener for rate limit events
dosFilter.setListener(new DoSFilter.Listener() {
    @Override
    public DoSFilter.Action onRequestOverLimit(HttpServletRequest request, 
                                              DoSFilter.OverLimit overlimit, 
                                              DoSFilter dosFilter) {
        // Log the rate limit violation
        logger.warn("Rate limit exceeded for {}: {} requests in {}", 
                   overlimit.getRateId(), overlimit.getCount(), overlimit.getDuration());
        
        // Return custom action based on severity
        return overlimit.getCount() > 50 ? DoSFilter.Action.REJECT : DoSFilter.Action.DELAY;
    }
});

CloseableDoSFilter

Extended DoS filter that forcibly closes connections on timeout.

/**
 * Extension of DoSFilter that abruptly closes connections when requests timeout.
 * More aggressive than standard DoSFilter for handling persistent attackers.
 */
public class CloseableDoSFilter extends DoSFilter {
    // Inherits all DoSFilter functionality
    // Overrides timeout behavior to close connections
}

Usage Example:

// Use when you need aggressive connection termination
CloseableDoSFilter closeableFilter = new CloseableDoSFilter();
closeableFilter.setMaxRequestsPerSec(5);
closeableFilter.setMaxRequestMs(10000); // Connections closed after 10 seconds

Action Enum

Defines the actions that can be taken when rate limits are exceeded.

/**
 * Actions that can be taken when request rate limits are exceeded
 */
public enum Action {
    /** Take no action, allow the request to proceed */
    NO_ACTION,
    /** Abort the request processing */
    ABORT,
    /** Reject the request with an error response */
    REJECT,
    /** Delay the request before processing */
    DELAY,
    /** Throttle the request using async processing */
    THROTTLE;
    
    /**
     * Convert delay time to appropriate action
     * @param delayMs Delay time in milliseconds
     * @return Corresponding Action enum value
     */
    public static Action fromDelay(long delayMs);
}

OverLimit Interface

Provides information about rate limit violations.

/**
 * Information about a rate limit violation
 */
public interface OverLimit {
    /** Get the rate tracking identifier */
    String getRateId();
    /** Get the duration over which the rate was measured */
    Duration getDuration();
    /** Get the number of requests in the measurement period */
    long getCount();
}

Listener Interface

Callback interface for handling rate limit events.

/**
 * Listener for rate limit events, allows custom handling of over-limit situations
 */
public static class Listener {
    /**
     * Called when a request exceeds the configured rate limit
     * @param request The HTTP request that exceeded the limit
     * @param overlimit Information about the rate limit violation
     * @param dosFilter The DoSFilter instance
     * @return Action to take for this request
     */
    public Action onRequestOverLimit(HttpServletRequest request, 
                                   OverLimit overlimit, 
                                   DoSFilter dosFilter);
}

RateTracker

Internal class for tracking request rates (exposed for management).

/**
 * Tracks request rates for a specific connection/user
 */
public static class RateTracker implements Runnable, Serializable {
    /** Check if the current rate exceeds configured limits */
    public OverLimit isRateExceeded(long now);
    /** Get the unique identifier for this rate tracker */
    public String getId();
    /** Set the servlet context for this tracker */
    public void setContext(ServletContext context);
    /** Cleanup method called periodically */
    public void run();
}

Protected Extension Points

The DoSFilter provides several protected methods for customization:

protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
    throws IOException, ServletException;
protected void doFilterChain(FilterChain chain, HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException;
protected void onRequestTimeout(HttpServletRequest request, HttpServletResponse response, Thread handlingThread);
protected boolean checkWhitelist(String candidate);
protected boolean subnetMatch(String subnetAddress, String address);
protected Scheduler startScheduler() throws ServletException;
protected void stopScheduler();

Whitelist Management

The DoS filters support flexible IP whitelisting with CIDR notation support:

// Single IP addresses
dosFilter.addWhitelistAddress("192.168.1.100");

// CIDR blocks
dosFilter.addWhitelistAddress("192.168.1.0/24");
dosFilter.addWhitelistAddress("10.0.0.0/8");

// Remove addresses
dosFilter.removeWhitelistAddress("192.168.1.100");

// Clear all whitelist entries
dosFilter.clearWhitelist();

// Set entire whitelist at once
dosFilter.setWhitelist("127.0.0.1,192.168.1.0/24,10.0.0.0/16");

Install with Tessl CLI

npx tessl i tessl/maven-org-eclipse-jetty-ee10--jetty-ee10-servlets

docs

base-filtering.md

cors-filter.md

dos-protection.md

header-management.md

index.md

quality-of-service.md

server-sent-events.md

tile.json