Rate limiting private REST APIs using Java Spring-boot, spring-security and bucket4j

Rate limiting REST APIs using Spring-security filter and Bucket4J

Deployed Application (Swagger-ui on heroku)

Inspired from: Baeldung Article

Application flow

• There are 3 entities in this POC with the mentioned key columns
  • users
    • user_id (UUID)
    • email_id
    • password
  • plans
    • plan_id (UUID)
    • name
    • limit_per_hour
  • user_plan_mappings
    • user_id
    • plan_id
    • is_active
• Three plans are inserted in the H2-in memory database on startup PlanDataInitializer.class
• A user_account (record in users table) is created and linked to the provided plan using the /sign-up API path
• We create a bucket using Bucket4j corresponding to the user_id and store it in an in-memory cache (ConcurrentHashMap used for demo purposes) when the user hits a private API using the JWT recieved after successfull login (user_id is encoded in the JWT)
• The above mentioned logic is implemented in the RateLimitingService.class
• We create a RateLimitFilter extending the OncePerRequestFilter.class and it to the spring-security filter chain
• We send an error response of HttpStatus.TOO_MANY_REQUESTS, if the user has exchausted the limit assigned to them per their configured plan
• Remove the <UUID, Bucket> mapping in the in-memory cache when the user updates their plan

Sample Screen Recording (1 minute long)

Local Setup

• Install Java 17 (recommended to use SdkMan)

sdk install java 17-open

• Install Maven (recommended to use SdkMan)

sdk install maven

• Clone the repo and run the below command in core

mvn clean install

• To start the application, run any of the below 2 commands

mvn spring-boot:run &

java -jar /target/rate-limiting-api-spring-boot-0.0.1-SNAPSHOT.jar &

• Access the swagger-ui

http://localhost:8080/swagger-ui.html