You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/07/14 01:36:00 UTC

[jira] [Created] (NIFI-8782) Add Rate-Limiting for Access Token Requests

David Handermann created NIFI-8782:
--------------------------------------

             Summary: Add Rate-Limiting for Access Token Requests
                 Key: NIFI-8782
                 URL: https://issues.apache.org/jira/browse/NIFI-8782
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core UI, Security
            Reporter: David Handermann
            Assignee: David Handermann


The NiFi Jetty Server currently relies on the Jetty [Denial of Service Filter|https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter] to provide configurable rate-limiting for HTTP requests. The DoSFilter applies to all requests and setting to the limit too low can cause unexpected problems during system administrator or data transfer.

When configured with a Login Identity Provider, Access Token requests support authenticating users against the specified provider. The number of Access Token requests from a given remote address should be minimal and predictable based on the expected number of authorized users. Introducing a separate configuration property and targeted filter for Access Token requests will allow the NiFi Jetty Server to reject excessive numbers of authentication attempts while permitting higher numbers of requests to other resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)