[App Manager] Throttling implementation for App Manager

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[App Manager] Throttling implementation for App Manager

venura
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

Suresh Attanayaka
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : +94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

venura
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

venura
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

Suresh Attanayaka
HI Venura,

SAML Response would not be available for every subsequent requests though the user is successfully authenticated. Best way would be to check the session ID, and have a map for the authenticated session and the username. This way, you do not need to know how the user was authenticated, it can be SAML, OAuth or OpenID. 

And if the app is configured in a such a way that do not require authentication, then throttling should be done as for anonymous user. If the app requires authentication and the request doesn't have an authenticated session, user should be redirected to the IDP. 

Thanks,
-Suresh   


On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : +94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

Nuwan Dias
Hi,

I don't think throttling a web app is practically doable :).

Think of the complications a bit, you will need to skip all requests for things like css, js, images, etc. Then, how are we going to handle cases like users pressing the 'refresh' button on the browser? Is that going to count as another request? If not, how do we skip that particular request?

Even though the publisher (owner of the web app) is responsible for defining the throttling limits, this would mean that the web app logic is closely tied to the app on the App Gateway. Making even a slight change to the web app might require them to change the throttling limits set on the Gateway.

Thanks,
NuwanD.


On Tue, Feb 11, 2014 at 12:50 PM, Suresh Attanayaka <[hidden email]> wrote:
HI Venura,

SAML Response would not be available for every subsequent requests though the user is successfully authenticated. Best way would be to check the session ID, and have a map for the authenticated session and the username. This way, you do not need to know how the user was authenticated, it can be SAML, OAuth or OpenID. 

And if the app is configured in a such a way that do not require authentication, then throttling should be done as for anonymous user. If the app requires authentication and the request doesn't have an authenticated session, user should be redirected to the IDP. 

Thanks,
-Suresh   


On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Nuwan Dias

Senior Software Engineer - WSO2, Inc. http://wso2.com
Phone : +94 777 775 729

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

sumedha rubasinghe
In reply to this post by Suresh Attanayaka
I think we should not worry about throttling for anonymous mode @ this point. Let's assume all applications require authentication and do throttling based on session ID.

One thing with session ID is the possibility of that being hijacked.


On Tue, Feb 11, 2014 at 12:50 PM, Suresh Attanayaka <[hidden email]> wrote:
HI Venura,

SAML Response would not be available for every subsequent requests though the user is successfully authenticated. Best way would be to check the session ID, and have a map for the authenticated session and the username. This way, you do not need to know how the user was authenticated, it can be SAML, OAuth or OpenID. 

And if the app is configured in a such a way that do not require authentication, then throttling should be done as for anonymous user. If the app requires authentication and the request doesn't have an authenticated session, user should be redirected to the IDP. 

Thanks,
-Suresh   


On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
/sumedha
b :  bit.ly/sumedha

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

venura
In reply to this post by Suresh Attanayaka
Hi,


On Tue, Feb 11, 2014 at 12:50 PM, Suresh Attanayaka <[hidden email]> wrote:
HI Venura,

SAML Response would not be available for every subsequent requests though the user is successfully authenticated. Best way would be to check the session ID, and have a map for the authenticated session and the username. This way, you do not need to know how the user was authenticated, it can be SAML, OAuth or OpenID. 

And if the app is configured in a such a way that do not require authentication, then throttling should be done as for anonymous user. If the app requires authentication and the request doesn't have an authenticated session, user should be redirected to the IDP. 

+1. Yes, only if an authenticated session is not available for the request we will redirect the user to the IDP. Since the browser request will be carrying the cookie, we can use that to make the decision. 
 

Thanks,
-Suresh   


On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

venura
In reply to this post by Nuwan Dias
Hi,


On Tue, Feb 11, 2014 at 1:27 PM, Nuwan Dias <[hidden email]> wrote:
Hi,

I don't think throttling a web app is practically doable :).

-1 on this since web applications totally need throttling. If throttling is not required for the web application, publisher can mark the tier as unlimited.
 

Think of the complications a bit, you will need to skip all requests for things like css, js, images, etc. Then, how are we going to handle cases like users pressing the 'refresh' button on the browser? Is that going to count as another request? If not, how do we skip that particular request?

We can define URL patterns and provide throttling tiers for these patterns. If an specific type of request (js/ css) need not to be throttled, publisher can define the tire as unlimited. Pressing the refresh button can be considered as the same request depending on the implementation. For example, there can be two types of applications.

1. Once a user enters to a web application, user should be able to stay in the application without being throttled. (Ex: Hotel booking engine)
2. Each request for the application is considered as a new request. For these applications, refresh request should be considered as a new request.

For the first type, once the user has the authenticated session, user should not be throttled. But this can be used by a attacker to make a DDOS attack. We can use cookie which is generated by the gateway in order to avoid this.
 
Even though the publisher (owner of the web app) is responsible for defining the throttling limits, this would mean that the web app logic is closely tied to the app on the App Gateway. Making even a slight change to the web app might require them to change the throttling limits set on the Gateway.

Thanks,
NuwanD.


On Tue, Feb 11, 2014 at 12:50 PM, Suresh Attanayaka <[hidden email]> wrote:
HI Venura,

SAML Response would not be available for every subsequent requests though the user is successfully authenticated. Best way would be to check the session ID, and have a map for the authenticated session and the username. This way, you do not need to know how the user was authenticated, it can be SAML, OAuth or OpenID. 

And if the app is configured in a such a way that do not require authentication, then throttling should be done as for anonymous user. If the app requires authentication and the request doesn't have an authenticated session, user should be redirected to the IDP. 

Thanks,
-Suresh   


On Tue, Feb 11, 2014 at 12:33 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

One way of doing this is based on the authentication mechanism. For example, a web application publisher can decide what is the authentication mechanism that is going to be used for the web application. Let's take SAML as an example [1]. With the subject of the saml response, user can be identified and can apply the throttling. If the web application publisher decides that the web app need not to be authenticated, then user based throttling is not applicable.

Please share your thoughts.

[1] https://docs.google.com/a/wso2.com/drawings/d/1yYe6n17sBGhegEyu8aym-C44gsZEkfsZDR3ZUTzj38k/edit?usp=sharing

Regards,
Venura



On Mon, Feb 10, 2014 at 10:05 PM, Venura Kahawala <[hidden email]> wrote:
Hi Suresh,

I meant the user, not the web browser. 

Regards,
Venura


On Mon, Feb 10, 2014 at 9:56 PM, Suresh Attanayaka <[hidden email]> wrote:
Hi Venura,

I'm confused, are we going to throttle based on User or Client or both ? I assume a client is a web browser. 

Thanks,
-Suresh 


On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Suresh Attanayake
Senior Software Engineer; WSO2 Inc. http://wso2.com/
Mobile : <a href="tel:%2B94755012060" value="+94755012060" target="_blank">+94755012060
Mobile : +016166171172

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Nuwan Dias

Senior Software Engineer - WSO2, Inc. http://wso2.com
Phone : <a href="tel:%2B94%20777%20775%20729" value="+94777775729" target="_blank">+94 777 775 729

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



Regards,
Venura

--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

Sanjeewa Malalgoda
In reply to this post by venura



On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Normally when we throttle out web applications and services we might consider bandwidth passed through wire(incoming, out going). So we can consider some context registered and request bandwidth comes for that context( Also if we need to measure bandwidth we can do that inside handler). We used similar concept for web apps deployed in stratos. If we are planning to do request count based throttling mechanism we might need to consider consider web app context(we can derive this from request url) and session cookie combination as throttle key. But IMO when it come to web application, request count based throttling doesn't make much sense.

Thanks,
sanjeewa.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Sanjeewa Malalgoda
Senior Software Engineer
WSO2 Inc.
Mobile : +94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

Manoj Fernando
Not a nice user experience to be throttled out whilst using a web app for sure. :(  It just don't sell well as compared to throttling back-end APIs and services which has obvious benefits.

But if you really have to do it, my suggestion is to use URL patterns as a unique identifier for throttle contexts.  By default, you can configure the throttle to allow all resources unless specified as throttle configuration objects.  So for web resources like CSS, images, etc... it will not throttle, but the moment you create a resource hungry data grid for example... you can create a throttle configuration specifying the URI as an identifier. 

Regards,
Manoj

  


On Tue, Feb 11, 2014 at 2:36 PM, Sanjeewa Malalgoda <[hidden email]> wrote:



On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Normally when we throttle out web applications and services we might consider bandwidth passed through wire(incoming, out going). So we can consider some context registered and request bandwidth comes for that context( Also if we need to measure bandwidth we can do that inside handler). We used similar concept for web apps deployed in stratos. If we are planning to do request count based throttling mechanism we might need to consider consider web app context(we can derive this from request url) and session cookie combination as throttle key. But IMO when it come to web application, request count based throttling doesn't make much sense.

Thanks,
sanjeewa.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Sanjeewa Malalgoda
Senior Software Engineer
WSO2 Inc.
Mobile : <a href="tel:%2B94713068779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Manoj Fernando
Director - Solutions Architecture

Contact:
LK -  +94 112 145345
Mob: +94 773 759340

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [App Manager] Throttling implementation for App Manager

venura
Hi Manoj,


On Tue, Feb 11, 2014 at 10:16 PM, Manoj Fernando <[hidden email]> wrote:
Not a nice user experience to be throttled out whilst using a web app for sure. :(  It just don't sell well as compared to throttling back-end APIs and services which has obvious benefits.

But if you really have to do it, my suggestion is to use URL patterns as a unique identifier for throttle contexts.  By default, you can configure the throttle to allow all resources unless specified as throttle configuration objects.  So for web resources like CSS, images, etc... it will not throttle, but the moment you create a resource hungry data grid for example... you can create a throttle configuration specifying the URI as an identifier. 

+1, Thats the plan for this phase.
 

Regards,
Manoj

  


On Tue, Feb 11, 2014 at 2:36 PM, Sanjeewa Malalgoda <[hidden email]> wrote:



On Mon, Feb 10, 2014 at 6:58 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

As you may be already aware 'App manager' is capable of providing a gateway for web applications. Web Apps can be registered in the publisher and can be published to the store so the users can subscribe and consume web applications.

Currently we are in the stage of implementing throttling for the gateway. This is a bit different from API Manager since, consumer/ client of the web application is not capable of sending a unique identifier to the gateway (In AM this unique identifier is OAuth token which is given for a client application). This is because,  client should be able to type the gateway URL in the browser and access the web app.

We need to identify the client who is calling the gateway and throttle based on the client.

Any ideas on this are most welcome.

Normally when we throttle out web applications and services we might consider bandwidth passed through wire(incoming, out going). So we can consider some context registered and request bandwidth comes for that context( Also if we need to measure bandwidth we can do that inside handler). We used similar concept for web apps deployed in stratos. If we are planning to do request count based throttling mechanism we might need to consider consider web app context(we can derive this from request url) and session cookie combination as throttle key. But IMO when it come to web application, request count based throttling doesn't make much sense.

Thanks,
sanjeewa.

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Sanjeewa Malalgoda
Senior Software Engineer
WSO2 Inc.
Mobile : <a href="tel:%2B94713068779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Manoj Fernando
Director - Solutions Architecture

Contact:
LK -  +94 112 145345
Mob: <a href="tel:%2B94%20773%C2%A0759340" value="+94773759340" target="_blank">+94 773 759340

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture