How to limit data size of HTTP POST method from a client to JBoss

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 5.x
    • 6.x
    • 7.x
  • JBoss Seam
  • Red Hat JBoss Enterprise Web Server (EWS)
    • Apache httpd

Issue

  • How can I limit the data size of the HTTP POST method from a client to JBoss?
  • How to limit HTTP POST SOAP Message size ?
  • What is the use of maxPostSize parameter and what is the maximum limit for it?
  • Server is not allowing post request having data above 2 MB in JBOSS EAP? What could be the cause of this?

Resolution

To limit data size of POST method which Content-Type is application/x-www-form-urlencoded :

  • On EAP 4/5, you can use "maxPostSize" attribute in JBossWeb's Connector [1]
  • On EAP 6/7, it is the max-post-size attribute. The max value is 2147483647. See also this knowledge article about the behavior when hitting this limit.

To limit data size of POST method which Content-Type is multipart/form-data, you have the following two options:

  • JBoss Seam file upload JSF control for multipart form submissions [2]
  • "LimitRequestBody" directive in Apache httpd [3]

To limit data size of POST method which is any Content-Type (like text/xml, text/plain or multipart/related and so on) :

  • You can use "LimitRequestBody" directive in Apache httpd [3]
  • If this limit is exceeded, the request fails and is given a 500 response, which could be handled with a custom error page.  A message is also logged in the error_log indicating this occurred:
    [client 127.0.0.1] Requested content-length of x is larger than the configured limit of y
  • If the incoming content-length exceeds the limit, httpd can terminate the connection without reading in the too large post data, saving resources reading the content on the httpd and JBoss layers.

[1] JBossWeb HTTP Connector
Content from docs.jboss.org is not included.Content from docs.jboss.org is not included.http://docs.jboss.org/jbossweb/latest/config/http.html
[2] JBoss Seam Reference Guide - Multipart form submissions
This content is not included.This content is not included.http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Seam_Reference_Guide/configuration.html#id2994540
[3] Apache LimitRequestBody
Content from httpd.apache.org is not included.Content from httpd.apache.org is not included.http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody
Note: LimitRequestBody is not applicable to proxy requests. So it does not work with mod_proxy. It works with mod_jk, though.

Diagnostic Steps

  • maxPostSize is designed as a security precaution to prevent excessive CPU spent processing POST form parameters. To actually trigger the code that checks the maxPostSize parameter, you must have these in place:

    • The servlet application calls request.getParameter() or something that needs to get an HTTP parameter.
    • The HTTP method must be POST.
    • The Content-Type must be application/x-www-form-urlencoded

  • When the code is triggered, it simply stops processing the parameters if the request body size exceeds maxPostSize. getParameters() will return null, and the servlet will continue to process.

  • The only way to stop clients from sending large HTTP bodies before the entire payload is uploaded to JBoss would be to have an Apache HTTP proxy/load balancer between the client and JBoss server and use its LimitRequestBody directive

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.