Reputation: 17407
Tomcat maxSavePostSize value?
Tomcat Error 403 the request body was too large to be cashed during authentication process
Its related to maxSavePostSize setting its currently default which is 4096 (4KB). In googling people suggest -1 (unrestricted). Does that means it could be subject of DOS attack? What you suggest?
Upvotes: 2
Views: 2724
Answers (1)
Reputation: 16615
Setting maxSavePostSize to -1 on a Tomcat instance that is accessible by untrusted users would be a monumentally stupid thing to do because - as you correctly suspect - it would open up the server to a DoS attack.
This setting is only used when POST'd content needs to be saved during authentication. i.e. when an unauthenticated user POST's a request to a resource protected by FORM or CLIENT-CERT authentication.
There are a couple of solutions: a) Structure your application in such a way that users are always authenticated before they are able to access pages that trigger POSTs b) Increase the maxSavePostSize to the largest POST you expect you application to have to handle. If that is much larger than 4k then you may still be vulnerable to a DoS.
BTW, make sure you aren't confusing this setting with maxPostSize.
Upvotes: 4
Related Questions
- Increase HTTP Post maxPostSize in Spring Boot
- Is there a max size for POST parameter content?
- HttpRequest maximum allowable size in tomcat?
- maxPostSize in tomcat's configuration
- How to set maxSavePostSize in Apache Tomcat
- Restrict the size of POST request (application/json) in tomcat 7
- Can Apache Tomcat handle HTTP POST requests > 2 GB?
- Programmatically get Tomcat HTTP Connector's maxPostSize in a JSP
- Tomcat maxpostsize value ignored with XMLHttpRequest?
- What's the purpose of the maxPostSize for Tomcat's HTTP Connector?