Bytecode wrote:
According to Tomcat docs, the purpose of maxPostSize is:
The maximum size in bytes of the POST which will be handled by the container
FORM URL parameter parsing. The limit can be disabled by setting this attribute
to a value less than or equal to 0. If not specified, this attribute is set to
2097152 (2 megabytes).
Now the question is what's meant by "the container FORM URL parameter parsing"?
What's a FORM URL? What's the container's FORM URL parameter parsing? Also, what is a
possible use case of this parameter?
As a ganeral explanation : at the base the "maximum post size" setting
(available in Tomcat but also in Apache httpd and probably most
webservers), is a security measure.
It is there to avoid the possibility for some miscreant to overwhelm
your server by sending it a POST request with a body of, for example, 10
Gigabyte, through a slow connection.
In the absence of such a limit, this would force the server to dedicate
a process to just sit there reading the content of the POST, possibly
for hours. It would also tie up a number of resources at the server
side (to store the POST content), and maybe cause difficulties when the
POST is finally terminated and the body has to be parsed etc..
In other words, at best this might cause a denial-of-service, and at
worst crash your server with for example an out-of-memory condition.
The setting is thus available so that you, the application developer,
can determine which is the maximum likely valid size of a POST to your
server or application, and reject POSTs above this limit.
The webserver will then still accept POST requests, but as it is reading
the POST body, it will count the bytes, and as soon as this limit is
reached, it will interrupt this request and reject it with an error.
As to the "FORM URL parameter parsing" expression : to my knowledge,
this does not really correspond to any formal HTTP RFC or Servlet Spec
well-defined expression. It is probably just an expression chosen by
the writer of the documentation you refer to, to convey the general idea
that the webserver, when it processes a POST request, at some point has
to parse the body of the request to extract the various request
parameter names and contents.
And, before it can start doing that, it must have the entire POST body
available, which means the entire POST body has been read and saved
somewhere. Which rejoins the explanation above.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
