Hi,
On Tue, Feb 11, 2014 at 1:27 PM, Nuwan Dias <[email protected]> wrote: > Hi, > > I don't think throttling a web app is practically doable :). > -1 on this since web applications totally need throttling. If throttling is not required for the web application, publisher can mark the tier as unlimited. > > Think of the complications a bit, you will need to skip all requests for > things like css, js, images, etc. Then, how are we going to handle cases > like users pressing the 'refresh' button on the browser? Is that going to > count as another request? If not, how do we skip that particular request? > We can define URL patterns and provide throttling tiers for these patterns. If an specific type of request (js/ css) need not to be throttled, publisher can define the tire as unlimited. Pressing the refresh button can be considered as the same request depending on the implementation. For example, there can be two types of applications. 1. Once a user enters to a web application, user should be able to stay in the application without being throttled. (Ex: Hotel booking engine) 2. Each request for the application is considered as a new request. For these applications, refresh request should be considered as a new request. For the first type, once the user has the authenticated session, user should not be throttled. But this can be used by a attacker to make a DDOS attack. We can use cookie which is generated by the gateway in order to avoid this. > Even though the publisher (owner of the web app) is responsible for > defining the throttling limits, this would mean that the web app logic is > closely tied to the app on the App Gateway. Making even a slight change to > the web app might require them to change the throttling limits set on the > Gateway. > > Thanks, > NuwanD. > > > On Tue, Feb 11, 2014 at 12:50 PM, Suresh Attanayaka <[email protected]>wrote: > >> HI Venura, >> >> SAML Response would not be available for every subsequent requests though >> the user is successfully authenticated. Best way would be to check the >> session ID, and have a map for the authenticated session and the username. >> This way, you do not need to know how the user was authenticated, it can be >> SAML, OAuth or OpenID. >> >> And if the app is configured in a such a way that do not require >> authentication, then throttling should be done as for anonymous user. If >> the app requires authentication and the request doesn't have an >> authenticated session, user should be redirected to the IDP. >> >> Thanks, >> -Suresh >> >> >> On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[email protected]>wrote: >> >>> Hi, >>> >>> One way of doing this is based on the authentication mechanism. For >>> example, a web application publisher can decide what is the authentication >>> mechanism that is going to be used for the web application. Let's take SAML >>> as an example [1]. With the subject of the saml response, user can be >>> identified and can apply the throttling. If the web application publisher >>> decides that the web app need not to be authenticated, then user based >>> throttling is not applicable. >>> >>> Please share your thoughts. >>> >>> [1] >>> https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing >>> >>> Regards, >>> Venura >>> >>> >>> >>> On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[email protected]>wrote: >>> >>>> Hi Suresh, >>>> >>>> I meant the user, not the web browser. >>>> >>>> Regards, >>>> Venura >>>> >>>> >>>> On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[email protected]>wrote: >>>> >>>>> Hi Venura, >>>>> >>>>> I'm confused, are we going to throttle based on User or Client or both >>>>> ? I assume a client is a web browser. >>>>> >>>>> Thanks, >>>>> -Suresh >>>>> >>>>> >>>>> On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[email protected]>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> As you may be already aware 'App manager' is capable of providing a >>>>>> gateway for web applications. Web Apps can be registered in the publisher >>>>>> and can be published to the store so the users can subscribe and consume >>>>>> web applications. >>>>>> >>>>>> Currently we are in the stage of implementing throttling for the >>>>>> gateway. This is a bit different from API Manager since, consumer/ client >>>>>> of the web application is not capable of sending a unique identifier to >>>>>> the >>>>>> gateway (In AM this unique identifier is OAuth token which is given for a >>>>>> client application). This is because, client should be able to type the >>>>>> gateway URL in the browser and access the web app. >>>>>> >>>>>> We need to identify the client who is calling the gateway and >>>>>> throttle based on the client. >>>>>> >>>>>> Any ideas on this are most welcome. >>>>>> >>>>>> Regards, >>>>>> Venura >>>>>> >>>>>> -- >>>>>> Senior Software Engineer >>>>>> >>>>>> Mobile: +94 71 82 300 20 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Suresh Attanayake >>>>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>>>> Blog : http://sureshatt.blogspot.com/ >>>>> Web : http://www.ssoarcade.com/ >>>>> Facebook : https://www.facebook.com/IdentityWorld >>>>> Twitter : https://twitter.com/sureshatt >>>>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>>>> Mobile : +94755012060 >>>>> Mobile : +016166171172 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Senior Software Engineer >>>> >>>> Mobile: +94 71 82 300 20 >>>> >>>> >>> >>> >>> -- >>> Senior Software Engineer >>> >>> Mobile: +94 71 82 300 20 >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Suresh Attanayake >> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >> Blog : http://sureshatt.blogspot.com/ >> Web : http://www.ssoarcade.com/ >> Facebook : https://www.facebook.com/IdentityWorld >> Twitter : https://twitter.com/sureshatt >> LinkedIn : http://lk.linkedin.com/in/sureshatt >> Mobile : +94755012060 >> Mobile : +016166171172 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Nuwan Dias > > Senior Software Engineer - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > Regards, Venura -- Senior Software Engineer Mobile: +94 71 82 300 20
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
