Class ParameterLimitValve
- java.lang.Object
-
- org.apache.catalina.util.LifecycleBase
-
- org.apache.catalina.util.LifecycleMBeanBase
-
- org.apache.catalina.valves.ValveBase
-
- org.apache.catalina.valves.ParameterLimitValve
-
- All Implemented Interfaces:
javax.management.MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Valve
public class ParameterLimitValve extends ValveBase
This is a concrete implementation ofValveBase
that allows alternative values for the Connector attributesmaxParameterCount
,maxPartCount
andmaxPartHeaderSize
to be applied to a request. The features of this implementation include:- URL-specific parameter limits that can be defined using regular expressions
- Configurable through Tomcat's
server.xml
orcontext.xml
- Requires a
parameter_limit.config
file containing the URL-specific parameter limits. It must be placed in the Host configuration folder or in the WEB-INF folder of the web application.
The default limit, specified by Connector's value, applies to all requests unless a more specific URL pattern is matched. URL patterns and their corresponding limits can be configured via a regular expression mapping through the
urlPatternLimits
attribute.The Valve checks each incoming request and enforces the appropriate limit. If a request exceeds the allowed number of parameters, a
400 Bad Request
response is returned.Example, configuration in
context.xml
:<Context> <Valve className="org.apache.catalina.valves.ParameterLimitValve" </Context>
and inparameter_limit.config
:/api/.*=150 /admin/.*=50 /upload/.*=30,5,1024
The configuration allows for flexible control over different sections of your application, such as applying higher limits for API endpoints and stricter limits for admin areas.
If a single integer is provided, it is used for
maxParameterCount
.If three integers are provided, they are applied to
maxParameterCount
,maxPartCount
andmaxPartHeaderSize
respectively.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
-
Field Summary
-
Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next, sm
-
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
-
Constructor Summary
Constructors Constructor Description ParameterLimitValve()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.lang.String
getResourcePath()
protected void
initInternal()
Subclasses implement this method to perform any instance initialisation required.void
invoke(Request request, Response response)
Checks if any of the defined patterns matches the URI of the request and if it does, enforces the corresponding parameter limit for the request.void
setResourcePath(java.lang.String resourcePath)
void
setUrlPatternLimits(java.io.BufferedReader reader)
Set the mapping of URL patterns to their corresponding parameter limits.void
setUrlPatternLimits(java.lang.String urlPatternConfig)
protected void
startInternal()
Start this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
stopInternal()
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.-
Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, isAsyncSupported, setAsyncSupported, setContainer, setNext, toString
-
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
-
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
-
-
-
Method Detail
-
getResourcePath
public java.lang.String getResourcePath()
-
setResourcePath
public void setResourcePath(java.lang.String resourcePath)
-
initInternal
protected void initInternal() throws LifecycleException
Description copied from class:LifecycleBase
Subclasses implement this method to perform any instance initialisation required.- Overrides:
initInternal
in classValveBase
- Throws:
LifecycleException
- If the initialisation fails
-
startInternal
protected void startInternal() throws LifecycleException
Description copied from class:ValveBase
Start this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
setUrlPatternLimits
public void setUrlPatternLimits(java.lang.String urlPatternConfig)
-
setUrlPatternLimits
public void setUrlPatternLimits(java.io.BufferedReader reader)
Set the mapping of URL patterns to their corresponding parameter limits. The input should be provided line by line, where each line contains a pattern and a limit, separated by the last '='.Example:
/api/.*=50 /api======/.*=150 /urlEncoded%20api=2 # This is a comment
- Parameters:
reader
- A BufferedReader containing URL pattern to parameter limit mappings, with each pair on a separate line.
-
stopInternal
protected void stopInternal() throws LifecycleException
Description copied from class:ValveBase
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.- Overrides:
stopInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
invoke
public void invoke(Request request, Response response) throws java.io.IOException, ServletException
Checks if any of the defined patterns matches the URI of the request and if it does, enforces the corresponding parameter limit for the request. Then invoke the next Valve in the sequence.- Parameters:
request
- The servlet request to be processedresponse
- The servlet response to be created- Throws:
java.io.IOException
- if an input/output error occursServletException
- if a servlet error occurs
-
-