| // ======================================================================== |
| // Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd. |
| // ======================================================================== |
| // All rights reserved. This program and the accompanying materials |
| // are made available under the terms of the Eclipse Public License v1.0 |
| // and Apache License v2.0 which accompanies this distribution. |
| // |
| // The Eclipse Public License is available at |
| // http://www.eclipse.org/legal/epl-v10.html |
| // |
| // The Apache License v2.0 is available at |
| // http://www.opensource.org/licenses/apache2.0.php |
| // |
| // You may elect to redistribute this code under either of these licenses. |
| // ======================================================================== |
| |
| [[configuring-form-size]] |
| === Limiting Form Content |
| |
| Form content sent to the server is processed by Jetty into a map of parameters to be used by the web application. |
| This can be vulnerable to denial of service (DOS) attacks since significant memory and CPU can be consumed if a malicious clients sends very large form content or large number of form keys. |
| Thus Jetty limits the amount of data and keys that can be in a form posted to Jetty. |
| |
| The default maximum size Jetty permits is 200000 bytes and 1000 keys. |
| You can change this default for a particular webapp or for all webapps on a particular Server instance. |
| |
| ==== Configuring Form Limits for a Webapp |
| |
| To configure the form limits for a single web application, the context handler (or webappContext) instance must be configured using the following methods: |
| |
| [source, java, subs="{sub-order}"] |
| ---- |
| ContextHandler.setMaxFormContentSize(int maxSizeInBytes); |
| ContextHandler.setMaxFormKeys(int formKeys); |
| |
| ---- |
| |
| These methods may be called directly when embedding Jetty, but more commonly are configured from a context XML file or WEB-INF/jetty-web.xml file: |
| |
| [source, xml, subs="{sub-order}"] |
| ---- |
| <Configure class="org.eclipse.jetty.webapp.WebAppContext"> |
| |
| ... |
| |
| <Set name="maxFormContentSize">200000</Set> |
| <Set name="maxFormKeys">200</Set> |
| </Configure> |
| |
| ---- |
| |
| ==== Configuring Form Limits for the Server |
| |
| If a context does not have specific form limits configured, then the server attributes are inspected to see if a server wide limit has been set on the size or keys. |
| The following XML shows how these attributes can be set in `jetty.xml`: |
| |
| [source, xml, subs="{sub-order}"] |
| ---- |
| <configure class="org.eclipse.jetty.server.Server"> |
| |
| ... |
| |
| <Call name="setAttribute"> |
| <Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg> |
| <Arg>100000</Arg> |
| </Call> |
| <Call name="setAttribute"> |
| <Arg>org.eclipse.jetty.server.Request.maxFormKeys</Arg> |
| <Arg>2000</Arg> |
| </Call> |
| </configure> |
| |
| ---- |