1

I'm using Spring boot embedded tomcat for publishing rest service.

Spring boot version used latest "1.3.6.RELEASE"

I have requirement to limit the application/json post request size to 10KB.

Tired this solution but not working, Increase HTTP Post maxPostSize in Spring Boot

Please help.

Thanks, Arun.

Community
  • 1
  • 1
erdarun
  • 441
  • 1
  • 8
  • 14
  • Don't know if it suits you, but you can configure it in Tomcat: see `maxPostSize` parameter in https://tomcat.apache.org/tomcat-7.0-doc/config/http.html – Jozef Chocholacek Jul 27 '16 at 08:49
  • Im using embedded tomcat tried setting this but not working, @Bean EmbeddedServletContainerCustomizer containerCustomizer() throws Exception { return (ConfigurableEmbeddedServletContainer container) -> { if (container instanceof TomcatEmbeddedServletContainerFactory) { TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container; tomcat.addConnectorCustomizers( (connector) -> { connector.setMaxPostSize(10000); // 10 KB } ); } }; } – erdarun Jul 27 '16 at 08:53

1 Answers1

13

Configuring the max post size only applies to requests with a Content-Type of multipart/form-data or application/x-www-form-urlencoded. There's no mechanism available out of the box in Tomcat to limit the size of a request body for requests with any other content type so you'll have to write some code.

You could limit the content length using a filter. For example, adding the following class to your Spring Boot application will reject an request with a Content-Type that is compatible with application/json and a Content-Length over 10000:

@Component
static class ApplicationJsonRequestSizeLimitFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain filterChain)
                    throws ServletException, IOException {
        if (isApplicationJson(request) && request.getContentLengthLong() > 10000) {
            throw new IOException("Request content exceeded limit of 10000 bytes");
        }
        filterChain.doFilter(request, response);
    }

    private boolean isApplicationJson(HttpServletRequest httpRequest) {
        return (MediaType.APPLICATION_JSON.isCompatibleWith(MediaType
                .parseMediaType(httpRequest.getHeader(HttpHeaders.CONTENT_TYPE))));
    }

}

Note that this filter won't reject requests without a Content-Length header that exceed 10000 bytes, for example one that uses chunked encoding.

Andy Wilkinson
  • 108,729
  • 24
  • 257
  • 242
  • Thanks Andy. It works fine. If there is no Content-Length header then the value of request.getContentLength() or request.getContentLengthLong() will be zero? Can we use that for validation? – erdarun Jul 27 '16 at 12:48
  • Instead of Zero it should be -1 – erdarun Jul 27 '16 at 14:06
  • If the request has no `Content-Length` header, one can wrap the `ServletRequest` into one that returns a `LimitedSizeInputStream` from [this answer](https://stackoverflow.com/a/30072143/11748454). – Piotr P. Karwasz Aug 24 '21 at 09:37