Auto Configured Rate Limiting Support

[ardatosun]

Hi Spring team,

I'd like to propose adding first class support for rate limiting via Spring Boot auto configuration.

Rate limiting is a fundamental concern in modern applications, especially for public APIs, multi-tenant systems and similar use cases. In real world scenarios where we usually run our code as distributed microservices, it becomes more critical.
While building custom rate limiting solutions for my company, I realized that many developers have had to implement this increasingly common requirement of rate limiting manually, as evident from blog posts and examples online. As someone who enjoys developing applications using Spring Boot, it felt intuitive that rate limiting should be a built-in feature as in an auto configuration support out of the box. Here is the core idea:

• A simple @RateLimit annotation to mark rate-limited endpoints.
• A property driven configuration system to declare rules per "rate limit use case".
• Pluggable resolvers for rate limit identifiers e.g. resolving IP addresses, extracting user/client info from JWT claims
• Backend support with auto configured key stores like Redis e.g. Redisson, Spring Data Redis
• Out-of-the-box Spring boot integration with minimal manual setup e.g. @EnableRateLimiting

I'd love to hear your thoughts on:

• Whether this kind of feature aligns with Spring Boot's goals and philosophy for auto-configuration.
• If yes, whether we could discuss what such contribution might look like.

I have some work-in-progress ideas and would be happy to share them if the direction seems promising.

Thanks.

[wilkinsona]

Thanks for the suggestion. This feels to me like a Spring Framework feature for which Spring Boot could then provide auto-configuration. This would also allow other projects such as Spring Security to provide resolvers for rate limit identifiers which they could not do if the resolver API was part of Spring Boot.

There was some discussion about rate limiting in Spring Framework several years ago but the issue was ultimately declined. The landscape has undoubtedly changed in the almost 9 years since then so you may want to open a new Framework issue for things like @RateLimit, the plug point for resolvers, and @EnableRateLimiting. If you create such an issue, please comment here with a link to it. In the interim, I'll close this one and we can re-open it in the future should the suggested Framework enhancement be accepted.

[ardatosun]

Thanks for the answer @wilkinsona , I've created an issue in Spring Framework spring-projects/spring-framework/issues/34754