Post Execution Condition

[cjacky475]

Hello, I have somes questions regarding #71, one of them might be an issue, but we'll see. @MarcGiffing, you was on it, maybe you could elaborate?:

1. How does post-execute help to solve an issue of throttling unauthenticated and authenticated users? This post execute, as you mentioned, only consumes tokens if e. g. <401> is received, so how do I exactly, referring to that issue again, solve a problem, where authenticated users should have more tokens than unauthenticated (also higher ROLES have higher tokens)? How do I filter authenticated/anonymous users to provide different filtering?

   Can you please refer to execute-condition not working correctly when using UsernamePasswordAuthenticationFilter #71 (comment) to answer this? Thank you.

   Maybe I am not understanding this post-execute correctly, but I need to use tokens for each request to prevent DoS, this post-execute only uses for specified response code.

2. I am using session-based login and I tried adding:

      rate-limits:
        - post-execute-condition: getStatus() eq 401
          cache-key: getRemoteAddr()
          bandwidths:
            - capacity: 1
              time: 60
              unit: seconds

I can still request as many times without 429 error. I tried different codes, since Postman shows 401, but Logbook 403, still, nothing. I
tried 200 as well. The only filter that works is via checking by execute-condition of the user roles, but this throws me back again to that
issue.

[MarcGiffing]

1. Can authenticated and unauthenticated users access the same resource, without a 401? If that's the case. You don't need the post-execute-condition (maybe post-consume-condition is a better name?). You can place one filter after the Security filter:

bucket4j:
  enabled: true
  filters:
    - id: filter1
      cache-name: rate-limit-buckets
      filter-order: 1 # after Security Filter
      url: .*
      metrics:
      rate-limits:
        - execute-condition: "@rateLimitService.role() == 'ROLE_USER'" # or != 'ROLE_ANONYMOUS' 
          cache-key: "@rateLimitService.username()"
          bandwidths:
            - capacity: 5
              time: 20
              unit: seconds
        - execute-condition: "@rateLimitService.role() == 'ROLE_ANONYMOUS'"
          cache-key: getRemoteAddr()
          bandwidths:
            - capacity: 2
              time: 20
              unit: seconds

If the security filter rejects the the request with a 401 you must use two filters. The first one for unauthenticated users and the second one for the authenticated users:

bucket4j:
  filters:
    - id: for_unauthenticated_users
      cache-name: rate-limit-buckets
      filter-order: -200  # before spring security for unauthenticated users
      url: .*
      rate-limits:
        - cache-key: getRemoteAddr() # rate limit by IP address
          bandwidths:
            - capacity: 2
              time: 20
              unit: seconds
    - id: for_authenticated_users
      cache-name: rate-limit-buckets
      filter-order: 1 # after security filter
      url: .*
      metrics:
      rate-limits:
        - cache-key: "@rateLimitService.username()" # if it's after security all users must be authenticated (if there is no role anonymous)
          bandwidths:
            - capacity: 5
              time: 20
              unit: seconds

2. Can you set the logging level to debug for com.giffing? Can you set the post-execute-condition to true to see if there is a problem with the status code?

[cjacky475]

Hi,

authenticated and anonymous users cannot access same resource without a 401,

• if user is authenticated, he will NOT get 401, I want to give him X capacity
• if user is anonymous, he will get 401, I need to give him lower Y capacity

In all scenarios every request must consume a request for DoS prevention, not only when request comes 401.

Your below configuration rate limits everyone under capacity 2, since every request comes before spring security that executes for all users.

bucket4j:
  filters:
    - id: for_unauthenticated_users
      cache-name: rate-limit-buckets
      filter-order: -200  # before spring security for unauthenticated users
      url: .*
      rate-limits:
        - cache-key: getRemoteAddr() # rate limit by IP address
          bandwidths:
            - capacity: 2
              time: 20
              unit: seconds
    - id: for_authenticated_users
      cache-name: rate-limit-buckets
      filter-order: 1 # after security filter
      url: .*
      rate-limits:
        - cache-key: "@rateLimitService.username()" # if it's after security all users must be authenticated (if there is no role anonymous)
          bandwidths:
            - capacity: 5
              time: 20
              unit: seconds

2. I realized I had filter-order to 1, thats why it did not call. its fine now, i have getStatus() eq 403.

Maybe I figured the solution, but not sure if that's correct, would you approve this:

bucket4j:
  enabled: true
  filters:
    - id: filter1
      cache-name: rate-limit-buckets
      filter-method: servlet
      url: '.*'
      rate-limits:
        - post-execute-condition: getStatus() eq 403
          cache-key: getRemoteAddr()
          bandwidths:
            - capacity: 2
              time: 60
              unit: seconds
    - id: filter2
      cache-name: rate-limit-buckets
      filter-method: servlet
      filter-order: 1
      url: '.*'
      rate-limits:
        - execute-condition: "@myRateLimitService.role() == 'ROLE_USER'"
          cache-key: getRemoteAddr()
          bandwidths:
            - capacity: 5
              time: 60
              unit: seconds
    <...> more filters or conditions for authenticated users <...>

Now if user gets 403 (meaning anonymous?) he is capped for capacity 2. Otherwise I move on (meaning he must be authenticated), I can use filter-order: 1, now I can check based on anything I wish, since I have auth context?

[MarcGiffing]

Sorry I forgot to add the post-execute-condition in my proposal. Yes your solution seems to fit your problem if the first filter is executed before Spring security (which should be the default). I tried to visualize the post-execute-condition in the Readme
Image

If you sometimes may get a 401 status code my suggestion for improvement is to call a service which checks is the user is authenticated. Then your independent from the status code.

post-execute-condition: "yourService.isNotAuthenticated()"

To prevent attacks you should consider to add multiple rate limit configurations:

https://bucket4j.com/8.9.0/toc.html#short-timed-bursts