From 2da9e402777e1960db848435a4b51d8594a34d99 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 20 Dec 2024 10:40:44 +1100 Subject: [PATCH] PR #12559 - changes to OpenID docs from review Signed-off-by: Lachlan Roberts --- .../pages/security/configuring-form-size.adoc | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 documentation/jetty/modules/operations-guide/pages/security/configuring-form-size.adoc diff --git a/documentation/jetty/modules/operations-guide/pages/security/configuring-form-size.adoc b/documentation/jetty/modules/operations-guide/pages/security/configuring-form-size.adoc new file mode 100644 index 000000000000..e30681044783 --- /dev/null +++ b/documentation/jetty/modules/operations-guide/pages/security/configuring-form-size.adoc @@ -0,0 +1,53 @@ +// +// ======================================================================== +// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others. +// +// This program and the accompanying materials are made available under the +// terms of the Eclipse Public License v. 2.0 which is available at +// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0 +// which is available at https://www.apache.org/licenses/LICENSE-2.0. +// +// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 +// ======================================================================== +// + +[[limit-form-content]] += Limiting Form Content + +Form content sent to the server is processed by Jetty into a map of parameters to be used by the web application. +Forms can be a vector for denial-of-service attacks, since significant memory and CPU can be consumed if a malicious client sends very large form content or a large number of form keys. +Thus, Jetty limits the amount of data and keys that can be in a form posted to Jetty. + +The default maximum size Jetty permits is 200000 bytes and 1000 keys. +You can change this default for a particular web application or for all web applications on a particular `Server` instance. + +== Configuring Form Limits for a Web Application + +To configure the form limits for a single web application, the `WebAppContext` instance can be configured from a context XML file or `WEB-INF/jetty-web.xml` file: + +[,xml,subs=attributes+] +---- + + + ... + + 200000 + 200 + + +---- + +These settings can also be set via the following `ServletContext` attributes. + +- `org.eclipse.jetty.server.Request.maxFormKeys` +- `org.eclipse.jetty.server.Request.maxFormContentSize` + +== Configuring Default Form Limits for the Server + +The default `maxFormKeys` is 1000 and the default `maxFormContentSize` is 200000. + +However, the following system properties can be set to change the default values of this across every context: + +- `org.eclipse.jetty.server.Request.maxFormKeys` +- `org.eclipse.jetty.server.Request.maxFormContentSize`. +