Support for request rate limiting at framework level

[ardatosun]

Hi Spring team,
Following the guidance in spring-projects/spring-boot/issues/45182 , I'd like to propose a framework-level feature for supporting rate limiting in Spring.

While solutions exist at the infrastructure level (e.g. NGINX, API gateways), we often need some type of rate limiting that is tied to business logic. As a developer who likes Spring framework, I thought it would be powerful to have rate limiting support at the framework level that can be extended by the ecosystem and later on automatically configured by Spring Boot.

The idea here would be limited to framework abstractions and extensibility. Spring Boot support (e.g. auto configured Redis integration) would be handled downstream. An example annotation would be like:

@RateLimit(useCase = "some-action")

that would be placed on top of a Spring MVC controller method to apply rate limit on that endpoint. Further configuration could be applied with something like:

rate-limiter:
  use-cases:
    some-action:
      identifiers:
        ip-address:
          rules:
            - max-limit: 5
              duration: PT1M
            - max-limit: 15
              duration: PT5M
        jwt-user-id:
          rules:
            - max-limit: 5
              duration: PT1M

where different identifiers would be responsible for determining the value to apply the rate limit on. In this example, it would mean that for the some-action use case, I am going to apply per IP address a limit of 5 requests per minute and 15 requests per 5 minutes separately, on the same endpoint. However, I am not too concerned on how things should be implemented as of creating this issue.

I would like to collect feedback if this kind of feature aligns with Spring's direction and would be interested to discuss and come up with concrete ideas on how to implement such feature.

Thanks.

[bclozel]

I'm not sure our opinion will differ from #18482

If anything the environment is even more complex and gateways centralize such concerns.

[bclozel]

It seems that #18482 (comment) still applies.

For this to work, we would need to create new APIs and more importantly, new SPIs for providers to implementation. This would need to take into account the many aspects of this space: rate-limiting algorithms, multi-tenant support, multi-host support, API token support, etc.

As outlined by Rossen, implementing this at the controller level is way too late in the process for this to be efficient. It is also very likely that such rate-limiting must be supported across various applications (see for example the rate-limiting Spring Cloud Gateway support).

For those reasons, we are declining this feature. Thanks for raising this!