200 or 400 per second for a single customer? Wow, there must be some serious hardware behind that to support that.
This is an interesting problem. I have recently implemented a solution where for each JAX-RS REST API method an MBean gets created automatically that allows you to turn it on or off completely, track its usage by IP address, allow IPs to be blacklisted and whitelisted, and some other monitoring and administration functionalities. The JAX-RS API has filter methods that make it relatively easy to hook into the normal request/response flow, and prevent access under certain circumstances - like a blacklisted IP address, or a customer going beyond the throttle threshold.
JAX-WS has a similar mechanism that works on two different levels - the SOAP level (javax.xml.ws.handler.soap.SOAPHandler) and the transport-independent message level (javax.xml.ws.handler.LogicalHandler). See https://jax-ws.java.net/articles/handlers_introduction.html for an introduction of how that works.
Thanks Ulf. How we can set the threshold details, etc in SOAPHandler what is the API we need to use here? Similarly how we can handle the same in REST WS? Please clarify. Any code snippets are really appreciated.
There is no API to do that - you'll have to implement it yourself. But once you have the handlers in place, it's not hard to keep track of incoming requests, and do all the bookkeeping necessary to implement your requirements.
I wouldn't implement this in Java myself. There are plenty of firewall/HTTP proxy/load balancer products available that provide traffic throttling right out of the box. You might want to look at your load balancer configuration. You might have somehting already
The point as I understand it would be to do this on a per-user basis, though, for which parts of the URL (or possibly a header) would need to be examined, and action taken accordingly. That might not be possible with an external approach.
A single "user" firing 200 requests a second seems highly unlikely. "Customer" could mean many things. In this contextm "customer likely means a company that is buying the product for 500 of it's employees
Right, but it still sounds to me as if the WS would be hosted by the company that offers it, not by the customer. Assuming that the WS would not be run on separate hardware for each customer, there would still be a need to treat incoming requests differently based on some authentication provided with the WS call. But no need to guess - Rithanya should be able to tell us if that's a concern.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop