Add documentation for form limits & improve configuration via context attributes #12560
Conversation
… attributes Signed-off-by: Lachlan Roberts <[email protected]>
lachlan-roberts
changed the title
There was a problem hiding this comment.
Please add a similar security directory in the operations guide.
There, make a similar section titled "Limiting Form Content" (same title), that points to that of the programming guide for example:
Forms can be a vector for denial-of-service attacks, like explained in xref:...[this section].
Then proceed to explain operation-guide specific configuration.
We should have these form limits as a Jetty module properties, and if we don't already, we should add them.
| // ======================================================================== | ||
| // | ||
|
|
||
| [[configuring-form-size]] |
There was a problem hiding this comment.
I'd rename it to limit-form-content, like the title.
| = Limiting Form Content | ||
|
|
||
| Form content sent to the server is processed by Jetty into a map of parameters to be used by the web application. | ||
| This can be vulnerable to denial of service (DOS) attacks since significant memory and CPU can be consumed if a malicious clients sends very large form content or large number of form keys. |
There was a problem hiding this comment.
| This can be vulnerable to denial of service (DOS) attacks since significant memory and CPU can be consumed if a malicious clients sends very large form content or large number of form keys. | |
| Forms can be a vector for denial-of-service attacks, since significant memory and CPU can be consumed if a malicious clients sends very large form content or a large number of form keys. |
| Thus, Jetty limits the amount of data and keys that can be in a form posted to Jetty. | ||
|
|
||
| The default maximum size Jetty permits is 200000 bytes and 1000 keys. | ||
| You can change this default for a particular webapp or for all webapps on a particular Server instance. |
There was a problem hiding this comment.
| You can change this default for a particular webapp or for all webapps on a particular Server instance. | |
| You can change this default for a particular web application or for all web applications on a particular `Server` instance. |
| The default maximum size Jetty permits is 200000 bytes and 1000 keys. | ||
| You can change this default for a particular webapp or for all webapps on a particular Server instance. | ||
|
|
||
| == Configuring Form Limits for a Webapp |
There was a problem hiding this comment.
| == Configuring Form Limits for a Webapp | |
| == Configuring Form Limits for a Web Application |
|
|
||
| == Configuring Form Limits for a Webapp | ||
|
|
||
| To configure the form limits for a single web application, the servlet context handler (or webappContext) instance must be configured using the following methods: |
There was a problem hiding this comment.
| To configure the form limits for a single web application, the servlet context handler (or webappContext) instance must be configured using the following methods: | |
| To configure the form limits for a single web application, the `ServletContextHandler` (or `WebappContext`) instance must be configured using the following methods: |
| int maxSizeInBytes = 1024; | ||
| int formKeys = 100; | ||
| // tag::formSizeConfig[] |
There was a problem hiding this comment.
Include the int values in the documentation.
| These methods may be called directly when embedding Jetty, but more commonly are configured from a context XML file or WEB-INF/jetty-web.xml file: | ||
|
|
||
| [,xml,subs=attributes+] | ||
| ---- | ||
| <Configure class="org.eclipse.jetty.{ee-current}.webapp.WebAppContext"> | ||
|
|
||
| ... | ||
|
|
||
| <Set name="maxFormContentSize">200000</Set> | ||
| <Set name="maxFormKeys">200</Set> | ||
| </Configure> | ||
|
|
||
| ---- |
There was a problem hiding this comment.
This should be moved to the operations guide.
|
|
||
| ---- | ||
|
|
||
| These settings can also be set via the following Context attributes. |
There was a problem hiding this comment.
It is not clear what "Context" are you referring to here.
You mean context attributes in web.xml?
If so, better have an example, but should propably better be in the operations guide.
|
|
||
| The default `maxFormKeys` is 1000 and the default `maxFormContentSize` is 200000. | ||
|
|
||
| However, the following system properties can be set to change the default values of this across every context; `org.eclipse.jetty.server.Request.maxFormKeys` and `org.eclipse.jetty.server.Request.maxFormContentSize`. |
There was a problem hiding this comment.
Put them in a bullet list like above.
I wonder why we don't look these up as Server attributes, before using system properties?
| @@ -987,6 +988,8 @@ else if (getBaseResource() != null) | |||
| name = String.format("%s@%x", name, hashCode()); | |||
|
|
|||
| dumpObjects(out, indent, | |||
| Dumpable.named("maxFormKeys ", getMaxFormKeys()), | |||
There was a problem hiding this comment.
Before this line, dump also the environment like in ee9?
| Dumpable.named("maxFormKeys ", getMaxFormKeys()), | ||
| Dumpable.named("maxFormContentSize ", getMaxFormContentSize()), |
There was a problem hiding this comment.
move down in the dump to be after the attributes
| @@ -987,6 +988,8 @@ else if (getBaseResource() != null) | |||
| name = String.format("%s@%x", name, hashCode()); | |||
|
|
|||
| dumpObjects(out, indent, | |||
| Dumpable.named("maxFormKeys ", getMaxFormKeys()), | |||
There was a problem hiding this comment.
Rather than override dump and have to repeat the stuff from the base class, why don't we just add all these Dumpable collections as beans the the context and let the normal dump mechanism dump them?
There was a problem hiding this comment.
Or better yet, add one Dumpable webapp bean, that dumps all these extra details
FormFields.fromalready reads this configuration from context attributes, but this PR makes it so that those context attributes delegate to setting the equivalent fields onContextHandler.maxFormKeysandmaxFormContentSizeto the dump.replaces #12232