[ https://issues.apache.org/jira/browse/NIFI-8782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17380798#comment-17380798 ]
ASF subversion and git services commented on NIFI-8782: ------------------------------------------------------- Commit c668d3df1baa4dd40f727aaa2bc1fab697520913 in nifi's branch refs/heads/main from David Handermann [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=c668d3d ] NIFI-8782 Added Rate-Limiting for Access Token Requests - Added Jetty DoSFilter configured for /access/token - Added nifi.web.max.access.token.requests.per.second property with default value of 25 Signed-off-by: Nathan Gough <thena...@gmail.com> This closes #5215. > Add Rate-Limiting for Access Token Requests > ------------------------------------------- > > Key: NIFI-8782 > URL: https://issues.apache.org/jira/browse/NIFI-8782 > Project: Apache NiFi > Issue Type: Improvement > Components: Core UI, Security > Reporter: David Handermann > Assignee: David Handermann > Priority: Minor > Labels: authentication, jetty, security > Time Spent: 40m > Remaining Estimate: 0h > > The NiFi Jetty Server currently relies on the Jetty [Denial of Service > Filter|https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter] > to provide configurable rate-limiting for HTTP requests. The DoSFilter > applies to all requests and setting to the limit too low can cause unexpected > problems during system administration or data transfer. > When configured with a Login Identity Provider, Access Token requests support > authenticating users against the specified provider. The number of Access > Token requests from a given remote address should be minimal and predictable > based on the expected number of authorized users. Introducing a separate > configuration property and targeted filter for Access Token requests will > allow the NiFi Jetty Server to reject excessive numbers of authentication > attempts while permitting higher numbers of requests to other resources. -- This message was sent by Atlassian Jira (v8.3.4#803005)