Hi,
A simple approach could involve the following steps:
1) Globally limit the number of HTTP parameters by setting maxParameterCount
attribute in the conf/server.xml file within the <Connector> element
e.g:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" *maxParameterCount="10"*
redirectPort="8443" />
2) Create an application-level filter to handle exceptions for the specific
URLs. Something like:
package com.dsoumis;import jakarta.servlet.Filter;import
jakarta.servlet.FilterChain;import jakarta.servlet.FilterConfig;import
jakarta.servlet.ServletException;import
jakarta.servlet.ServletRequest;import
jakarta.servlet.ServletResponse;import
jakarta.servlet.http.HttpServletRequest;import
java.io.IOException;import java.util.Map;public class
ParameterLimitFilter implements Filter { private static final int
MAX_GLOBAL_PARAMS = 10; private static final int
MAX_ALLOWED_PARAMS_FOR_SPECIFIC_URL = 20; @Override public void
init(FilterConfig filterConfig) throws ServletException { }
@Override public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain) throws
IOException, ServletException { HttpServletRequest httpRequest
= (HttpServletRequest) request; String requestURI =
httpRequest.getRequestURI(); Map<String, String[]> parameters =
httpRequest.getParameterMap(); if
("/specific/url".equals(requestURI)) { if
(parameters.size() > MAX_ALLOWED_PARAMS_FOR_SPECIFIC_URL) {
throw new ServletException("Too many parameters for this URL");
} } else {
if (parameters.size() > MAX_GLOBAL_PARAMS) {
throw new ServletException("Too many parameters"); }
} chain.doFilter(request, response); } @Override
public void destroy() { }}
3) Register the filter in web.xml:
<filter> <filter-name>ParameterLimitFilter</filter-name>
<filter-class>com.dsoumis.ParameterLimitFilter</filter-class></filter><filter-mapping>
<filter-name>ParameterLimitFilter</filter-name>
<url-pattern>/*</url-pattern> <!-- Apply the filter to all URLs or be
more specific with the pattern and align the logic accordingly to the
application-level filter--></filter-mapping>
-------
I have made an effort to create a Tomcat functionality for this requirement
by introducing a new Valve.
https://github.com/apache/tomcat/pull/753 is the relevant PR, open for
discussion :)
Kind regards,
Dimitris
On Thu, Sep 12, 2024 at 8:28 AM Thomas Meyer <tho...@m3y3r.de> wrote:
> Hi,
>
> This sounds more like a security requirement. Such constraints are usually
> implemented in the frontend, i.e. the http reverse proxy with mod_security
> or an explicit web application firewall.
>
> Any chance to implement it in a similar way in your setup?
>
> Mfg
> Thomas
>
> Am 11. September 2024 18:31:01 MESZ schrieb Christopher Schultz <
> ch...@christopherschultz.net>:
> >All,
> >
> >Does anyone know if there is a way to limit the number of HTTP parameters
> in a POST request but explicitly allow more parameters for, say, a small
> set of specific URLs?
> >
> >Asking for a friend.
> >
> >-chris
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
