Request entity too large error, The requested resource does not allow request Data with GET(OR POST) Requests, or the amount of the data provided in the request exceeds the capacity limit.
I use tomcat 7 and apache in my project. I made changes in tomcat's server.xml as
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" maxPostSize="-1" packetSize="65536"/>
still getting the same error.
Related
I have a Spring Boot application where I fill in a generated form based on a certain file that the user has to upload.
Somtimes in this file, a table can occur >100 times.
When this is the case, whenever I try to submit the form, I get the error:
More than the maximum number of request parameters (GET plus POST) for a single request ([10,000]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector.
I have tried solving this by adding the following code to my server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" maxParameterCount="1000000"/>
As is stated in this post - set the maxParameterCount attribute on the Connector. But this doesn't seem to do anything.
My application is running on port 8081, but changing this in the connector code doesn't make any difference. I still get the error that my request exceeded 10 000 parameters.
Does anyone have an idea?
Thanks in advance.
Kind Regards
I am using Tomcat 8.5 to host a WAR which is used for java REST services.
In my rest service, I create a connection and take a multi-part form data file from user, scan it using a scan engine and return the result. At the start, tomcat is running fine and giving a speed of almost 57-58 Mbps but degrades over time (degrades to nearly half in 5-8 min)
My setenv.bat file looks like this.
"set "JAVA_OPTS=%JAVA_OPTS% -Xms1024m -Xmx5120m -XX:MaxMetaspaceSize=512m -Xincgc -server""
JVM is using ParNewGC for garbage collection.
my server.xml file looks like this
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="100" minSpareThreads="8" maxSpareThreads="10" acceptorThreadCount="16" acceptCount="500"/>
<!--acceptCount :The maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full will be refused. The default value is 100.
A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" socket.rxBufSize="10000000" socket.txBufSize="3000000" socket.directBuffer="true" />
<!-- A "Connector" using the shared thread pool-->
As my response is completely dynamic. I am not using any type of caching. please help me with this issue.
It may be a error due to a large number of open tcp/ip connections .Try connecting with server for once and send data check for sockets when you see a performance degradation.
In windows, you can use netstat-an to check the open sockets.
The third party tool we used for security test is giving Slow HTTP POST Vulnerability on Tomcat 8. We have a simple Spring Controller and JSP in the application.
Existing Tomcat connector config is below:
<Connector port="8643" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" compression="on"
clientAuth="false" sslProtocol="TLS" maxPostSize="20480"
maxSwallowSize="20480" maxHeaderCount="25" maxParameterCount="100"/>
Note that we don't have Apache or Nginx in front of tomcat. Please suggest the configs that we can use directly on Tomcat.
An example of Slow HTTP Attack is SLOWLORIS
To mitigate it with Tomcat, the solution is to use the NIO Connector, as explained in this tutorial.
What is unclear with your problem, is that Tomcat already uses the NIO connector by default on Tomcat 8, which is your configuration :
The default value is HTTP/1.1 which uses an auto-switching mechanism
to select either a non blocking Java NIO based connector or an
APR/native based connector.
Maybe should you set some other Connector parameters to specifically limit POST abuse, I suggest :
maxPostSize="1048576" (1 MByte)
connectionTimeout="10000" (10 seconds between the connection and the URI request)
disableUploadTimeout="false" (activate the POST maximum time allowed)
connectionUploadTimeout="20000" (maximum POST of 20 seconds)
An option is also to limit the headers number (default being 100), but this can have side effects with people using smartphones (which are known to send many headers) :
maxHeaderCount="25"
But it depends if your traffic is coming from Internet, or if it is a pro intranet with known users. In this latter case you could adjust the settings to be more permissive.
Edit 1: hardening with MultipartConfig
As stated on some other posts, maxPostSize might not work for limitting uploads. When using Java 7 built-in uploads, it is possible to configure limits by an annotation to the Servlet, or by configuration. It's not a pure Tomcat configuration as you asked, but it is necessary to know about it and talk with the DEV team as security must be taken in account since the early stages of development.
Edit 2: disabling chunked Transfer-Encoding
Some Slow HTTP POST attacks are based on requests sent with a Transfer-Encoding : chunked header, and then send many or an infinite number of chunks. To counter this attack, I suggest configuring a Rewrite Valve.
To achieve this, add the valve in your Host definition in server.xml :
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :
RewriteCond %{HTTP:Transfer-Encoding} chunked
RewriteRule ^(.*)$ / [F]
If necessary, you can adapt the RewriteRule to reply with something else than a 403 Forbidden which is due to the F flag. This is pure Tomcat config and flexible.
I get following error when I try to access some JasperReports Server pages:
Request Entity Too Large The requested resource
/jasperserver/olap/viewOlap.html does not allow request data with GET
requests, or the amount of data provided in the request exceeds the
capacity limit.
I checked the Apache log files and got following error in mod_jk.log
[Thu Nov 10 10:25:00 2016][8964:3876] [error]
ajp_marshal_into_msgb::jk_ajp_common.c (517): failed appending the
query string of length 7417
I already tried many different ways to solve it.
I added the maxHttpHeaderSize and max_packet_size attributes to the ajp connect of Tomcat (server.xml):
<Connector port="8010" protocol="AJP/1.3" connectionTimeout="20000" redirectPort="8443" maxHttpHeaderSize="65536" max_packet_size="65536" />
Also I added the LimitRequestLine, LimitRequestBody, LimitRequestFieldSize and LimitRequestFields to the Apache httpd.conf file (added it to the end of the file without any VirtualHost):
LimitRequestLine 65536
LimitRequestBody 0
LimitRequestFieldSize 65536
LimitRequestFields 10000
I am still getting the error above.
I also found some suggestions to add the max_packet_size to the workers.properties of Apache. But if I add the attribute I get a HTTP 400 error and a white page. That's why I commented the property in workers.properties:
#worker.jasper.max_packet_size=65536
I restarted all services after changing the configurations.
When I access the same pages via HTTP-Connector of Tomcat (http://HOSTNAME:8081/jasperserver/..) it works fine. Only when I access it via AJP-Connector of Apache (http://HOSTNAME/jasperserver/..) I get the error. So I think there should be any problem with the AJP-Connector.
Apache: 2.4.12
JasperReports Server: 6.2.1
Apache Tomcat Version 8.0.14:
Does anyone have a suggestion what I have to do to solve the issue?
I figured out the problem.
The attribute in server.xml for Tomcat has to be
packetSize
and not
max_packet_size
See also documentation AJP Connector
After renaming it, it works fine.
Here are my configurations:
Tomcat server.xml:
Connector port="8010" protocol="AJP/1.3" redirectPort="8443" packetSize="65536"
Apache workers.properties:
worker.jasper.max_packet_size=65536
If you get afterwards the error:
Request-URI Too Long
The requested URL's length exceeds the capacity limit for this server.
You have to set following attributes in Apache httpd.conf file:
LimitRequestLine 65536
LimitRequestBody 0
LimitRequestFieldSize 65536
LimitRequestFields 10000
I hope this answer helps others too.
I have a web app hosted on two Tomcat servers, identical WARs and server.xml.
I don't have access to change any of the Apache settings - as such, I know that load balancing works as we have tested by shutting down one server and not the other, etc. Based on Tomcat logs I see both being used.
When using the default Tomcat HTTP port 8080 (in my case that was changed to 8083, nonissue) sessions are retained fine.
However, I made a change to use SSL, port 443 and now sessions are invalidated anywhere from 30 seconds - 5 minutes after creation. I assume this has something to do with session replication as I have not made any changes to the server.xml or web.xml besides pointing to the keystore :
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" secure="true" scheme="https" sslProtocol="TLS"
maxThreads="150"
clientAuth="false" keystoreFile="ssl/keystore.jks" keystorePass="123" />
I'm not exactly sure what else to copy here as the only change to the server.xml has literally be these few lines - I assume the added security is for some reason invalidating the session.
I currently have a test server serving the application on HTTP and HTTPS - even accessing the app at the same time, HTTP goes through fine and retains the session, HTTPS refuses to hold on to the session for longer than 5 minutes.
For what it's worth the SSL cert is installed to both Tomcat servers rather than at the load balancer - according to https://serverfault.com/questions/248139/apache-ssl-losing-session-over-load-balancer that may be the issue? I've only coded the application and changed some of the xml configurations - not sure if this is necessarily an issue I can fix.