0

I'm experiencing a weird issue: sometimes HTTP message request target (full path followed by ? and query string) is cut off to exactly 4095 characters before reaching my Tomcat server controllers.

The request is cut off already in Tomcat's access logs.

It doesn't happen all the time and I can easily see longer messages in Tomcat's access logs. Because of this, it isn't a server issue, I reckon.

One important information is that the URL is generated dynamically and injected into a page using appendChild Javascript method on HEAD element.

There's no HTTP aware component between user's browser and Tomcat server (no Level 7 load balancer, for instance).

I though this might be a browser issue. One common user agent when this happens is 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36', which apparently is Chrome63 on Windows10. I tried to reproduce it using such set up, but no success.

On the other machine when the issue is reproducible, I can see a full URL when inspecting the page using development tools.

Has anybody faced a similar issue? What could cut the URL off?

Update: it's not a duplicate of HttpRequest maximum allowable size in tomcat?. I see longer URIs in my access log and they work fine. Also, I tested be reducing max header number and I could easily see longer URIs passed through.

pzieba
  • 171
  • 1
  • 11
  • Maybe it's an issue with some proxy? – raina77ow Jan 29 '18 at 20:28
  • Possible duplicate of [HttpRequest maximum allowable size in tomcat?](https://stackoverflow.com/questions/2947683/httprequest-maximum-allowable-size-in-tomcat) – Obsidian Age Jan 29 '18 at 20:30
  • It's imposed by both the browser and server. You shouldn't be *attempting* to send requests this long, but you can override the limit if necessary. – Obsidian Age Jan 29 '18 at 20:31
  • If you need to send large parameters, use `POST` method. – Barmar Jan 29 '18 at 20:43
  • @raina77ow, thare's a firewall between and it also acts as a load balancer, but it's level 4 load balancer, so it's unaware of any HTTP related stuff. Besides, other requests for the same entry point with even longer query string are passed fine. – pzieba Jan 29 '18 at 21:47
  • @ObsidianAge, I was thinking about it, but maxHttpHeaderSize is set to 16384 and also I see longer requests in Tomcat's access log, which are not shortened. – pzieba Jan 29 '18 at 21:49
  • @Barmar, I know POST would be better here, but this is a legacy system and unfortunately I need to deal with it. Besides, this functionality injects some JavaScript dynamically and I'm doubt – pzieba Jan 29 '18 at 21:52
  • @pzieba Why do you doubt that? Just get the dynamic Javascript from the POST parameters instead of the URL. – Barmar Jan 29 '18 at 22:02
  • @Barmar, so you're saying I can use POST download Javascript code and the use eval method to execute it? This could be an option. It would be a huge change for my application, though. – pzieba Jan 30 '18 at 07:42
  • POST sends parameters to the server. The server can then use them the same way it uses URL parameters from GET. But if there's no server then you're right, you can't use POST. – Barmar Jan 30 '18 at 16:23
  • Use a packet-analyzer such as Wireshark to check the request on the wire. It's possible that the *browser* is trimming the request line and not the server. You have said that in your logs, you can see URLs longer than 4095 characters... so presumably Tomcat isn't limiting the request line at all. – Christopher Schultz Mar 08 '18 at 00:43
  • I already did it and indeed it's trimmed on browser side. Full length request target is sent in the request. It's very odd as I check it for many browsers and there's a difference even for exactly the same version of Chrome on the same version of Windows system - some instances work, some not. – pzieba Mar 09 '18 at 18:54

0 Answers0