[
https://issues.apache.org/jira/browse/NIFI-8782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-8782:
-----------------------------------
Status: Patch Available (was: Open)
> Add Rate-Limiting for Access Token Requests
> -------------------------------------------
>
> Key: NIFI-8782
> URL: https://issues.apache.org/jira/browse/NIFI-8782
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI, Security
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Labels: authentication, jetty, security
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The NiFi Jetty Server currently relies on the Jetty [Denial of Service
> Filter|https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter]
> to provide configurable rate-limiting for HTTP requests. The DoSFilter
> applies to all requests and setting to the limit too low can cause unexpected
> problems during system administration or data transfer.
> When configured with a Login Identity Provider, Access Token requests support
> authenticating users against the specified provider. The number of Access
> Token requests from a given remote address should be minimal and predictable
> based on the expected number of authorized users. Introducing a separate
> configuration property and targeted filter for Access Token requests will
> allow the NiFi Jetty Server to reject excessive numbers of authentication
> attempts while permitting higher numbers of requests to other resources.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
