2

I have a REST API that is expected to receive a large payload as request body. The API calls a blocking method that takes 2 seconds to process each request and then returns 200 OK. I wish to introduce throttling based on available memory such that the API returns 429 Too Many Request when the available memory falls below a threshold.

When the threshold condition is met, I wish to reject subsequent requests right away, even before loading the large request payloads in my application memory. This will also give me some protection against denial of service attacks.

In a Java EE, Tomcat environment, if I use a Filter to check available memory, I understand the complete request is already loaded in memory. Is it then better to add the check in ServletRequestListener.requestInitialized method so that I can reject the request even before the app receives it?

P.S. I use the below formula to calculate available memory based on this SO post:

long presumableFreeMemory =
            Runtime.getRuntime().maxMemory()
            - Runtime.getRuntime().totalMemory()
            + Runtime.getRuntime().freeMemory();
Somu
  • 3,023
  • 4
  • 26
  • 41
  • I bet this can only be accomplished by hooking to the specific application server web request processing pipeline. Which are you using? If on Tomcat a Valve might be the right thing - but this is a wild guess. – Nikos Paraskevopoulos Aug 31 '18 at 08:00
  • Thanks @NikosParaskevopoulos, yes Tomcat – Somu Sep 06 '18 at 03:48

0 Answers0