We use Jersey 2.x (Jersey + Spring + tomcat) to expose REST based web services. For monitoring purpose, I need to maintain a histogram capturing the size of responses sent out by the server to clients over time. Is it possible to do it using Jersey?
One suggested way is to write a Servlet Filter (for tomcat) which will read every (request &) response and capture size information for responses. But, I am worried about the performance impact due to introduction of filter. Hence, I am looking for any solution using Jersey.
Any other suggestion (way out) will also be appreciated.
Related
All services are running in SOAP. for now they client asking us to provide a REST service.
I have two options
Write a wrapper for existing SOAP services to provide REST full services
Brand new REST full service.
Which is better (in performance perspective)?
A single service usually has better performance than a service and a proxy (wrapper).
However SOAP and REST (with JSON) services are approximately equal in performance, you'll come to see that in parsing/serializing XML and JSON to objects representations (with jackson or JAXB), the object creation is the most demanding part, not reading JSON or XML format. The overall impact on performance is probably lower than 5 percent - a single core can usually top 50 mb/s in parse/serialize capacity.
The above also implies that if you already have a very optimized SOAP backend, probably going with the proxy is the right choice.
Moving from SOAP to REST you should use a tool like swagger (OpenAPI) to define the service in as much detail as the SOAP service. Note that REST services also can use XML, but probably that is not what your client is expecting.
Definitely Writing a new Rest web service would be the better choice because
Rest is light weight due to statelesness(due to HTTP protocol).No state is maintained.hence keep ur resources free.
You don't require a schema as you need for soap webservice.Thus serializing and deserializing is also not required.Thus makes performance far better
Testing a rest service would be easy for you.
Even rest is supported to develop an App on the based of REST API you have developed if u require in future.
Rest supports multiple data excahnge formats for ex : json,text etc.
Rest can be easily integrated with high-end frameworks like Spring etc.
You may use better documentation for your service via Swagger for Rest to keep knowledge about your service for business understanding.
I am planning to implement RESTful web services to return large XML response (upto 50MB), is it ideal for such requets or SOAP JX-WS better? Do I need to use some other protocol to make it more robust when it comes to marshalling/unmarshalling?
REST uses a regular HTTP get. HTTP get is stable for very large files. Downloading a 50MB file (or other content) is done quite regularly over HTTP.
You only need to make sure that there are not any other delays due to processing in the middle that would cause the connection to time out (usually ~2 minutes). This is unlikely to be a problem.
If you use Restlet you can stream data of any size back to the client using ReadableRepresentation (I'm doing gigabytes). It takes a bit of effort but it works fine.
We are using Tomcat 7 for our web application. We provide an XML based API so that our customers can communicate with our server in a machine-to-machine way (no web browser needed). The requests are processed by a servlet.
We need to prevent users from sending too many requests in a row. Some of the services we provide involve polling for results and users may make requests in a loop without any pauses, making dozens of requests per second for nothing.
How can we protect ourselves from being flooded with useless requests? Is there a simple way to block requests at the servlet entry level when there are too many requests originating from the same IP? Is there something built-in Tomcat to deal with this problem?
Assuming that you are using an apache reverse-proxy in front of tomcat (if you aren't you should be), use mod_cband on the apache layer.
You could code your own.
Starting points for looking at this would be the Servlet API, in particular the Filter interface and the getRemoteHost() method of the SerlvetRequest interface.
Should be easy enough to write a Filter implementation which stores a count of requests from each host and takes action if a limit exceeded.
Spring Security has a lot of the features of Apache httpd's mod_security if you want a Java-only solution.
Apache's mod_evasive
or mod_security
could cover for your need here. You may consider Cloudflare for more complexly serious attacks that will require hardware protection.
I am developing a simple REST API using Spring 3 + Spring MVC. Authentication will be done through OAuth 2.0 or basic auth with a client token using Spring Security. This is still under debate. All connections will be forced through an SSL connection.
I have been looking for information on how to implement rate limiting, but it does not seem like there is a lot of information out there. The implementation needs to be distributed, in that it works across multiple web servers.
Eg if there are three api servers A, B, C and clients are limited to 5 requests a second, then a client that makes 6 requests like so will find the request to C rejected with an error.
A recieves 3 requests \
B receives 2 requests | Executed in order, all requests from one client.
C receives 1 request /
It needs to work based on a token included in the request, as one client may be making requests on behalf of many users, and each user should be rate limited rather than the server IP address.
The set up will be multiple (2-5) web servers behind an HAProxy load balancer. There is a Cassandra backed, and memcached is used. The web servers will be running on Jetty.
One potential solution might be to write a custom Spring Security filter that extracts the token and checks how many requests have been made with it in the last X seconds. This would allow us to do some things like different rate limits for different clients.
Any suggestions on how it can be done? Is there an existing solution or will I have to write my own solution? I haven't done a lot of web site infrastructure before.
It needs to work based on a token included in the request, as one client may be making requests on behalf of many users, and each user should be rate limited rather than the server IP address.
The set up will be multiple (2-5) web servers behind an HAProxy load balancer. There is a Cassandra backed, and memcached is used. The web servers will be running on Jetty.
I think the project is request/response http(s) protocol. And you use HAProxy as fronted.
Maybe the HAProxy can load balancing with token, you can check from here.
Then the same token requests will reach same webserver, and webserver can just use memory cache to implement rate limiter.
I would avoid modifying application level code to meet this requirement if at all possible.
I had a look through the HAProxy LB documentation nothing too obvious there, but the requirement may warrant a full investigation of ACLs.
Putting HAProxy to one side, a possible architecture is to put an Apache WebServer out front and use an Apache plugin to do the rate limiting. Over-the-limit requests are refused out front and the application servers in the tier behind Apache are then separated from rate limit concerns making them simpler. You could also consider serving static content from the Web Server.
See the answer to this question How can I implement rate limiting with Apache? (requests per second)
I hope this helps.
Rob
You could put rate limits at various points in the flow (generally the higher up the better) and the general approach you have makes a lot of sense. One option for the implementation is to use 3scale to do it (http://www.3scale.net) - it does rate limits, analytics, key managed etc. and works either with a code plugin (the Java plugin is here: https://github.com/3scale/3scale_ws_api_for_java) which pushes or by putting something like Varnish (http://www.varnish-cache.org) in the pipeline and having that apply rate limits.
I was also thinking of the similar solutions a couple of day's ago. Basically, I prefer the "central-controlled" solution to save the state of the client request in the distributed environment.
In my application, I use a "session_id" to identify the request client. Then create a servlet filter or spring HandlerInterceptorAdapter to filter the request, then check the "session_id" with the central-controlled data repository, which could be memcached, redis, cassandra or zookeeper.
We use redis as leaky bucket backend
Add a controller as entrance
google cache that token as key with expired time
then filter every request
It is best if you implement ratelimit using REDIS. For more info please look this Rate limiting js Example.
I understand web service provides all SOAP,WSDL support, and it stands at a higher level than Servlet.But if I just simply wanted to expose a rest api to allow another application(client) to make a few very easy queries which can be done even via web browser.
eg. http://serverIP/getUserInfo/123
where 123 is like user's id. Let's just assume user info is returned as json.
Questions are:
Is there a big difference between implementing it in Servlet and Jersey?
If the client application is written in .net, does that make any difference?
Is it true that jax-ws allows you to specify the MIME type to be json while servlet's client has to parse the result?
From performance perspective, which one is quicker? I noticed that normally, Jersey is meant not to be deployed on Tomcat while Servlet is.
Is there a big difference between implementing it in Servlet and
Jersey?
Jersey is a framework that makes it a lot easier to write Restfull services. It uses the Servlet API, so it abstracts away a lot of the low level stuff.
You have to write a lot more code doing it using only the Servlet API, and the code has to deal with a lot of low level stuff that you can configure in a declarative way using Jersey.
If the client application is written in .net, does that make any
difference?
No
Is it true that jax-ws allows you to specify the MIME type to be json
while servlet's client has to parse the result?
Jersey lets you declare the mime type using annotations, but that's only for convenience, you still have to parse the incoming payload to check for correct mime type.
From performance perspective, which one is quicker?
Depends if you are able to write a faster implementation than the Jersey team. Jersey use servlets as well.
I noticed that normally, Jersey is meant not to be deployed on Tomcat
while Servlet is.
Tomcat is a servlet container. Jersey uses the servlet API to communicate over HTTP. There are web-frameworks that don't use servlets, for instance Play framework.