How to limit data size of HTTP POST method from a client to JBoss

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)

Issue

• How can I limit the data size of the HTTP POST method from a client to JBoss?
• How to limit HTTP POST SOAP Message size ?
• What is the use of maxPostSize parameter and what is the maximum limit for it?
• Server is not allowing post request having data above 2 MB in JBOSS EAP? What could be the cause of this?

Resolution

Disclaimer: The following information has been provided by Red Hat but is outside the scope of the posted This content is not included.Service Level Agreements and This content is not included.Scope of Coverage. Red Hat does not support software in the EPEL repository, other third-party repositories, or third-party non-Red Hat sources. The information is provided as-is without representations or warranties about the suitability or accuracy of the information provided. The intent is to provide information to accomplish the system's needs. Use of the information below is at the user's own risk.

Links to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or availability. Including any link to an external website does not imply endorsement by Red Hat of the website or its entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses resulting from your use of (or reliance on) the external site or content.

To limit data size of POST method which Content-Type is application/x-www-form-urlencoded:

• On EAP 6/7/8, use the max-post-size attribute in HTTP/HTTPS/AJP listener. The default value is 10485760 and the maximum is 214748364.
  • On EAP 6, if it hits the limit, check the article: JBoss EAP 6 continues an application processing without throwing an exception when the POST request exceeds the max-post-size limit.
• On EAP 4/5, use maxPostSize attribute in JBossWeb's Connector ¹

For any other Content-Type in a POST request:

• LimitRequestBody directive in Apache httpd ²

• If this limit is exceeded, the request fails and is given a 500 response, which could be handled with a custom error page. A message is also logged in the error_log indicating this occurred:

        [client 127.0.0.1] Requested content-length of x is larger than the configured limit of y
  

• If the incoming content-length exceeds the limit, httpd can terminate the connection without reading in the too large post data, saving resources by not reading the unnecessary content.

• LimitRequestBody is not applicable to proxy requests. So it does not work with mod_proxy. It works with mod_jk, though.

Root Cause

The maxPostSize and max-post-size attributes were designed as a security precaution to prevent excessive CPU spent processing POST form parameters.

To trigger the code that checks parameter:

• The servlet application calls request.getParameter() or something that needs to get an HTTP parameter.
• The HTTP method must be POST.
• The Content-Type must be application/x-www-form-urlencoded

• Before EAP 8.1 update 3 the only way to stop clients from sending large HTTP bodies before the entire payload is uploaded to JBoss would be to have an Apache httpd as proxy/balancer and use its LimitRequestBody directive.
• When the code is triggered, it simply stops processing the parameters if the request body size exceeds the maximum value. The getParameters() method will return null, and the servlet will continue to process.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.