tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: The purpose of maxPostSize
Date Sun, 02 May 2010 10:48:16 GMT
Bytecode wrote:
> According to Tomcat docs, the purpose of maxPostSize is:
> The maximum size in bytes of the POST which will be handled by the container FORM URL
parameter parsing. The limit can be disabled by setting this attribute to a value less than
or equal to 0. If not specified, this attribute is set to 2097152 (2 megabytes).
> Now the question is what's meant by "the container FORM URL parameter parsing"? What's
a FORM URL? What's the container's FORM URL parameter parsing? Also, what is a possible use
case of this parameter?
As a ganeral explanation : at the base the "maximum post size" setting 
(available in Tomcat but also in Apache httpd and probably most 
webservers), is a security measure.
It is there to avoid the possibility for some miscreant to overwhelm 
your server by sending it a POST request with a body of, for example, 10 
Gigabyte, through a slow connection.
In the absence of such a limit, this would force the server to dedicate 
a process to just sit there reading the content of the POST, possibly 
for hours.  It would also tie up a number of resources at the server 
side (to store the POST content), and maybe cause difficulties when the 
POST is finally terminated and the body has to be parsed etc..
In other words, at best this might cause a denial-of-service, and at 
worst crash your server with for example an out-of-memory condition.
The setting is thus available so that you, the application developer, 
can determine which is the maximum likely valid size of a POST to your 
server or application, and reject POSTs above this limit.
The webserver will then still accept POST requests, but as it is reading 
the POST body, it will count the bytes, and as soon as this limit is 
reached, it will interrupt this request and reject it with an error.

As to the "FORM URL parameter parsing" expression : to my knowledge, 
this does not really correspond to any formal HTTP RFC or Servlet Spec 
well-defined expression.  It is probably just an expression chosen by 
the writer of the documentation you refer to, to convey the general idea 
that the webserver, when it processes a POST request, at some point has 
to parse the body of the request to extract the various request 
parameter names and contents.
And, before it can start doing that, it must have the entire POST body 
available, which means the entire POST body has been read and saved 
somewhere.  Which rejoins the explanation above.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message