[ https://issues.apache.org/jira/browse/NIFI-8782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-8782: ----------------------------------- Status: Patch Available (was: Open) > Add Rate-Limiting for Access Token Requests > ------------------------------------------- > > Key: NIFI-8782 > URL: https://issues.apache.org/jira/browse/NIFI-8782 > Project: Apache NiFi > Issue Type: Improvement > Components: Core UI, Security > Reporter: David Handermann > Assignee: David Handermann > Priority: Minor > Labels: authentication, jetty, security > Time Spent: 10m > Remaining Estimate: 0h > > The NiFi Jetty Server currently relies on the Jetty [Denial of Service > Filter|https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter] > to provide configurable rate-limiting for HTTP requests. The DoSFilter > applies to all requests and setting to the limit too low can cause unexpected > problems during system administration or data transfer. > When configured with a Login Identity Provider, Access Token requests support > authenticating users against the specified provider. The number of Access > Token requests from a given remote address should be minimal and predictable > based on the expected number of authorized users. Introducing a separate > configuration property and targeted filter for Access Token requests will > allow the NiFi Jetty Server to reject excessive numbers of authentication > attempts while permitting higher numbers of requests to other resources. -- This message was sent by Atlassian Jira (v8.3.4#803005)