2

How do you configure Javalin to change the max request size, specifically the config to increase the max size of the query parameters on the request (avoiding 414 URI too long)?

I get 414 URI is too long when I exceed what looks like a default size of 8KB so would like to configure my Javalin server to increase that slightly.

I think it uses Jetty under the hood which has a HttpConfiguration.requestHeaderSize variable that may control it. Or there's a HttpParser._maxHeaderBytes which is checked before throwing the URI_TOO_LONG_414 exception.

I can't see how it can all be wired up...

Toby
  • 9,523
  • 8
  • 36
  • 59

2 Answers2

3

Bearing in mind all the advice and warnings listed here... Assuming you have Javalin defined as follows in your main method:

Javalin app = Javalin.create(config -> {
    config.jetty.server(MyJetty::create);
}).start();

Then you can create MyJetty to customize this and any other settings you may want to use.

A very basic example:

import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;

public class MyJetty {

    public static Server create() {
        Server server = new Server();
        HttpConfiguration httpConfiguration = new HttpConfiguration();

        httpConfiguration.setRequestHeaderSize(8192); // use your value here

        HttpConnectionFactory httpCF = new HttpConnectionFactory(httpConfiguration);
        ServerConnector httpConnector = new ServerConnector(server, httpCF);
        httpConnector.setPort(8080); // use your port here
        server.addConnector(httpConnector);
        return server;
    }

}

This only sets up a simple insecure HTTP connection - but shows one way to change the HttpConfiguration value for Javalin. You can use the same approach for other connectors you may want to configure, including ones using SSL/TLS.

I am assuming the latest version of Javalin (version 5) since there were some syntax changes from Javalin 4 to 5 - and also the version of Jetty changed from 9 to 11.

If you are using Javalin 4, the config syntax is a bit different:

config.server(MyJetty::create);

But I don't think the Jetty code changes (for this specific setting, at least).

andrewJames
  • 19,570
  • 8
  • 19
  • 51
1

Only change the HttpConfiguration, it will inform the HttpParser.

You should be leery of doing this because ...

  • many browsers do not support that large of a query.
  • 3rd party internet security software on laptops will reject that exchange.
  • you open yourself to various old school DoS (Denial of Service) attacks related to hashmap/hashcode abuse. (to minimize this issue, use Java 17 or newer)
  • If you move to HTTP/2 (or HTTP/3) many servers will reject the extension of the maximum request headers (at the HTTP level) that would be needed to support this massive request path.

Also, depending on what technology Javalin is using, you might need to also increase the ContextHandler maxFormContentSize and/or maxFormKeys.

If you have reached this need, it screams of abuse of the HTTP spec, you should investigate moving to a traditional HTTP POST with Content-Type: application/x-www-form-urlencoded instead.

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • Appreciate the comments and understand POST is often cited as a solution. I'm balancing similar misuse of POST in the context of REST and am aware the the HTTP spec doesn't preclude using a body with a GET (although not convention) – Toby Jan 18 '23 at 13:28