From a few sources (1 2 3), I'm getting the impression that whenever people wants to rate limit requests, the tendency seems to be "wrap Tomcat behind Apache, and rate-limit on Apache". There's also the iptables solution, but that won't answer HTTP 429 ("Too many requests").
Apache is fine, but sometimes it will be nice if we can improvise small-scale deployments of a small servlet we have, but we're still being asked to rate limit requests, and setting up an Apache layer seems like a bit of overkill (at least compared to cloning a web.xml file, which we're already doing anyway).
So I'm thinking of coding a small filter to do just that (as it seems like a significant amount of non-effort) and package it with the servlet, but the eerie absence of elaborate Tomcat rate limit filters out in the open suggests that this approach might be naive. I mean, this feels so generic and so much is Open-Source-available these days. So maybe there is a really good reason that justifies the Apache solution. Apache has so many options while Tomcat seems to have none.
(Jetty does seem to ship with one such filter though, despite being a servlet container.)
Why does Tomcat lack built-in rate-limit filters?
Tomcat sure does have a rate-limit
filter valve built-in. You just have to modify it to suit your needs.