We have a method in our stateless EJB which query's our tables abd returns the result. We have designed the API thinking this should be one time call I mean user should call once this method in there flow.
Example: We are trying to get the history of work done by an Employee and I pass EmployeeID to get the detail
What is happening there are some systems which are using our API (the above method) and they are trying to call the method as a bulk query. Someone is using a for loop to get employee details for say 1000 employees and this is causing our System to hang.
My question is, Is there a way I can implement something so the calling system cannot call my API in a bulk query.
Google uses a common technique for this - give out keys and require the user to pass the key in calls to your service. Then you can track when the key is used and limit it by time or volume. You could say only X calls per minute or X calls per day.
You cannot prevent excessive calls without writing additional code. Even then, enforcement would be difficult because you would have to depend on the client to do "the right thing".
What you can do to help prevent the system from being overrun is specify a sensible upper bound on the number of pooled instances for the beans. However, even this will not help much if the problem is that the number of serial calls is just too high.
That in conjunction with asking the problematic application to be changed :-).
Hope it helps,
Independent Consultant — Author, EJB 3 in Action — Expert Group Member, Java EE 6 and EJB 3.1
Joined: Jan 15, 2003
Thanks Jeanne and Reza.
Jeanne, Do you have any link from where I can get more details about controlling the calls based on volume?
Not to sidetrack the discussion - but from what i see, its the API that needs to be fixed or tuned if possible. The API expects a userid and all it needs to return is the details. So it should not actually care about how many users are calling it, as long as it is tuned enough.
Someone is using a for loop to get employee details for say 1000 employees and this is causing our System to hang.
It applies to *any* other publicly accessible API isn't it?
Unless this is a public API available to the "world" (e.g. accessed via a web service) and you have no way of realistically communicating with the client base, it seems wrong to put in explicit bandwidth throttling mechanisms instead of fixing the API or the client.