Limiting the size of a HTTP post request on JBoss

views:

257

answers:

+1 Q:

Limiting the size of a HTTP post request on JBoss

I am using Jboss 4.2.3 as an appserver. Is there a way to limit the size of the HTTP Post request accepted by JBoss? I want to limit the size to avoid DOS attacks.

I already sat maxHttpHeaderSize and maxPostSize in the server.xml, but neither of them seem to make any difference.

Tomcat accepts the HTTP request in $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml you can configure maxHttpHeaderSize as an attribute of the Connector Tag.

To have control regarding content you would implement a Valve or Filter

stacker 2010-03-10 15:52:21

+2 A:

maxPostSize defines how big a POST can get before Tomcat will "automatically" parse it, whatever that means.

If you're doing this for security reasons, you need to think twice about how you do it. A DOS attack isn't going to conveniently announce its size as an HTTP request header, it's just going to send data until your server falls over.

You could check the Content-Length header of the request, and reject it immediately if it's not present, or too big, but you run the risk of rejecting genuine clients that don't supply the header, which many won't.

Otherwise, you're just going to have to read the request data until it crosses a threshold, and then reject it.

Either way, the container can't help you much.

skaffman 2010-03-10 23:27:33

+1 and a DDOS attack is not only sending large data. It's also a happening of thousands of simultaneous requests at once.

BalusC 2010-03-10 23:34:54

ansaurus

tags:

views:

answers:

Limiting the size of a HTTP post request on JBoss

related questions