Class ParameterLimitValve

  • All Implemented Interfaces:
    javax.management.MBeanRegistration, Contained, JmxEnabled, Lifecycle, Valve

    public class ParameterLimitValve
    extends ValveBase
    This is a concrete implementation of ValveBase that allows alternative values for the Connector attributes maxParameterCount, maxPartCount and maxPartHeaderSize to be applied to a request. The features of this implementation include:
    • URL-specific parameter limits that can be defined using regular expressions
    • Configurable through Tomcat's server.xml or context.xml
    • Requires a parameter_limit.config file containing the URL-specific parameter limits. It must be placed in the Host configuration folder or in the WEB-INF folder of the web application.

    The default limit, specified by Connector's value, applies to all requests unless a more specific URL pattern is matched. URL patterns and their corresponding limits can be configured via a regular expression mapping through the urlPatternLimits attribute.

    The Valve checks each incoming request and enforces the appropriate limit. If a request exceeds the allowed number of parameters, a 400 Bad Request response is returned.

    Example, configuration in context.xml:

     
     <Context>
         <Valve className="org.apache.catalina.valves.ParameterLimitValve"
     </Context>
     
     and in parameter_limit.config:
     
     
     /api/.*=150
     /admin/.*=50
     /upload/.*=30,5,1024
     
     

    The configuration allows for flexible control over different sections of your application, such as applying higher limits for API endpoints and stricter limits for admin areas.

    If a single integer is provided, it is used for maxParameterCount.

    If three integers are provided, they are applied to maxParameterCount, maxPartCount and maxPartHeaderSize respectively.

    • Constructor Detail

      • ParameterLimitValve

        public ParameterLimitValve()
    • Method Detail

      • getResourcePath

        public java.lang.String getResourcePath()
      • setResourcePath

        public void setResourcePath​(java.lang.String resourcePath)
      • setUrlPatternLimits

        public void setUrlPatternLimits​(java.lang.String urlPatternConfig)
      • setUrlPatternLimits

        public void setUrlPatternLimits​(java.io.BufferedReader reader)
        Set the mapping of URL patterns to their corresponding parameter limits. The input should be provided line by line, where each line contains a pattern and a limit, separated by the last '='.

        Example:

         /api/.*=50
         /api======/.*=150
         /urlEncoded%20api=2
         # This is a comment
         
        Parameters:
        reader - A BufferedReader containing URL pattern to parameter limit mappings, with each pair on a separate line.
      • invoke

        public void invoke​(Request request,
                           Response response)
                    throws java.io.IOException,
                           ServletException
        Checks if any of the defined patterns matches the URI of the request and if it does, enforces the corresponding parameter limit for the request. Then invoke the next Valve in the sequence.
        Parameters:
        request - The servlet request to be processed
        response - The servlet response to be created
        Throws:
        java.io.IOException - if an input/output error occurs
        ServletException - if a servlet error occurs