You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Amit Pande <Am...@veritas.com.INVALID> on 2022/05/25 15:21:54 UTC
RE: [External] Re: Maximum header size in Tomcat 9
Hello Mark,
Could we slightly update the description - to say that this size is total size (in bytes)of all the request (and response) headers combined (including the header name and values)?
In the past, I incorrectly assumed that this size limit applies for one header value.
maxHttpHeaderSize
The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).
Thanks,
Amit
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, May 25, 2022 6:16 AM
To: users@tomcat.apache.org
Subject: [External] Re: Maximum header size in Tomcat 9
On 25/05/2022 12:08, Aditya Kumar wrote:
> Thanks! Sorry I misread that article.
>
> So I suppose it's the same for maxHttpRequestHeaderSize and
> maxHttpResponseHeaderSize?
Correct.
Mark
>
>
>
> On Wed, May 25, 2022 at 10:45 AM Mark Thomas <ma...@apache.org> wrote:
>
>> On 25/05/2022 10:33, Aditya Kumar wrote:
>>> I'm sorry I'm not sure what you mean by Integer.MAX_VALUE?
>>
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc
>> s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html%2
>> 3MAX_VALUE&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0
>> 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637
>> 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
>> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pfV4K
>> ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3D&reserved=0
>>
>>> Looking at
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto
>>> mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html&data=05%7C
>>> 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7Cf
>>> c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkno
>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
>>> iLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VXFY%2Bew8f1HxXiUYsyCmgiVD
>>> B%2FqQUJr4rhbB8LbZmkA%3D&reserved=0
>> all I
>>> see is this:-
>>> "maxHttpHeaderSize
>>>
>>> The maximum size of the request and response HTTP header, specified
>>> in bytes. If not specified, this attribute is set to 8192 (8 KB)."
>>> This does not explain possible values. Can you give me an actual
>>> number
>> for
>>> the maximum?
>>
>> See above.
>>
>> The theoretical maximum is so far above any sensible value there is
>> not much point documenting it.
>>
>>> Also I saw in this article:
>>>
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom
>> munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tomc
>> at-url-string&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152b
>> ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C
>> 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I6
>> %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3D&reserved=0
>>>
>>> " A value of less than 0 means no limit."
>>
>> That text is copied directly from the Tomcat documentation and is
>> part of the description for maxParameterCount, not maxHttpHeaderSize.
>> What makes you think it might apply to maxHttpHeaderSize?
>>
>> Mark
>>
>>
>>>
>>>
>>> On Wed, May 25, 2022 at 10:19 AM Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 25/05/2022 09:51, Aditya Kumar wrote:
>>>>> Hi
>>>>>
>>>>> I'm using Tomcat 9.0.46 and I want to know what is the maximum
>>>>> possible value for maxHttpHeaderSize
>>>>
>>>> Integer.MAX_VALUE
>>>>
>>>>> I have Tomcat setup using kerberos authentication and for some
>>>>> users
>> the
>>>>> Authorisation header is too large (too many AD groups).
>>>>>
>>>>> I have seen various articles when googling but I want something
>>>>> from official documentation to state what the possible values for
>>>>> this field are. Is it true that setting a value of "-1" causes a
>>>>> limitless maximum header size value?
>>>>
>>>> Where did you read that? I don't see that in the documentation.
>>>>
>>>> Mark
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [External] Re: Maximum header size in Tomcat 9
Posted by Amit Pande <Am...@veritas.com.INVALID>.
Thank you, Mark!
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, May 26, 2022 6:10 AM
To: users@tomcat.apache.org
Subject: Re: [External] Re: Maximum header size in Tomcat 9
On 25/05/2022 16:21, Amit Pande wrote:
> Hello Mark,
>
> Could we slightly update the description - to say that this size is total size (in bytes)of all the request (and response) headers combined (including the header name and values)?
> In the past, I incorrectly assumed that this size limit applies for one header value.
>
> maxHttpHeaderSize
> The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).
Done.
Mark
>
> Thanks,
> Amit
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, May 25, 2022 6:16 AM
> To: users@tomcat.apache.org
> Subject: [External] Re: Maximum header size in Tomcat 9
>
> On 25/05/2022 12:08, Aditya Kumar wrote:
>> Thanks! Sorry I misread that article.
>>
>> So I suppose it's the same for maxHttpRequestHeaderSize and
>> maxHttpResponseHeaderSize?
>
> Correct.
>
> Mark
>
>
>>
>>
>>
>> On Wed, May 25, 2022 at 10:45 AM Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 25/05/2022 10:33, Aditya Kumar wrote:
>>>> I'm sorry I'm not sure what you mean by Integer.MAX_VALUE?
>>>
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo
>>> c
>>> s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html%
>>> 2
>>> 3MAX_VALUE&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff
>>> 0
>>> 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63
>>> 7
>>> 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
>>> V
>>> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pfV4
>>> K
>>> ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3D&reserved=0
>>>
>>>> Looking at
>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft
>>>> o
>>>> mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html&data=05%7
>>>> C
>>>> 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7C
>>>> f
>>>> c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkn
>>>> o
>>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
>>>> w
>>>> iLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VXFY%2Bew8f1HxXiUYsyCmgiV
>>>> D
>>>> B%2FqQUJr4rhbB8LbZmkA%3D&reserved=0
>>> all I
>>>> see is this:-
>>>> "maxHttpHeaderSize
>>>>
>>>> The maximum size of the request and response HTTP header, specified
>>>> in bytes. If not specified, this attribute is set to 8192 (8 KB)."
>>>> This does not explain possible values. Can you give me an actual
>>>> number
>>> for
>>>> the maximum?
>>>
>>> See above.
>>>
>>> The theoretical maximum is so far above any sensible value there is
>>> not much point documenting it.
>>>
>>>> Also I saw in this article:
>>>>
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fco
>>> m
>>> munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tom
>>> c
>>> at-url-string&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152
>>> b
>>> ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7
>>> C
>>> 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
>>> j
>>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I
>>> 6
>>> %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3D&reserved=0
>>>>
>>>> " A value of less than 0 means no limit."
>>>
>>> That text is copied directly from the Tomcat documentation and is
>>> part of the description for maxParameterCount, not maxHttpHeaderSize.
>>> What makes you think it might apply to maxHttpHeaderSize?
>>>
>>> Mark
>>>
>>>
>>>>
>>>>
>>>> On Wed, May 25, 2022 at 10:19 AM Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 25/05/2022 09:51, Aditya Kumar wrote:
>>>>>> Hi
>>>>>>
>>>>>> I'm using Tomcat 9.0.46 and I want to know what is the maximum
>>>>>> possible value for maxHttpHeaderSize
>>>>>
>>>>> Integer.MAX_VALUE
>>>>>
>>>>>> I have Tomcat setup using kerberos authentication and for some
>>>>>> users
>>> the
>>>>>> Authorisation header is too large (too many AD groups).
>>>>>>
>>>>>> I have seen various articles when googling but I want something
>>>>>> from official documentation to state what the possible values for
>>>>>> this field are. Is it true that setting a value of "-1" causes a
>>>>>> limitless maximum header size value?
>>>>>
>>>>> Where did you read that? I don't see that in the documentation.
>>>>>
>>>>> Mark
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [External] Re: Maximum header size in Tomcat 9
Posted by Mark Thomas <ma...@apache.org>.
On 25/05/2022 16:21, Amit Pande wrote:
> Hello Mark,
>
> Could we slightly update the description - to say that this size is total size (in bytes)of all the request (and response) headers combined (including the header name and values)?
> In the past, I incorrectly assumed that this size limit applies for one header value.
>
> maxHttpHeaderSize
> The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).
Done.
Mark
>
> Thanks,
> Amit
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, May 25, 2022 6:16 AM
> To: users@tomcat.apache.org
> Subject: [External] Re: Maximum header size in Tomcat 9
>
> On 25/05/2022 12:08, Aditya Kumar wrote:
>> Thanks! Sorry I misread that article.
>>
>> So I suppose it's the same for maxHttpRequestHeaderSize and
>> maxHttpResponseHeaderSize?
>
> Correct.
>
> Mark
>
>
>>
>>
>>
>> On Wed, May 25, 2022 at 10:45 AM Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 25/05/2022 10:33, Aditya Kumar wrote:
>>>> I'm sorry I'm not sure what you mean by Integer.MAX_VALUE?
>>>
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc
>>> s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html%2
>>> 3MAX_VALUE&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0
>>> 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637
>>> 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
>>> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pfV4K
>>> ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3D&reserved=0
>>>
>>>> Looking at
>>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto
>>>> mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html&data=05%7C
>>>> 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7Cf
>>>> c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkno
>>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
>>>> iLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VXFY%2Bew8f1HxXiUYsyCmgiVD
>>>> B%2FqQUJr4rhbB8LbZmkA%3D&reserved=0
>>> all I
>>>> see is this:-
>>>> "maxHttpHeaderSize
>>>>
>>>> The maximum size of the request and response HTTP header, specified
>>>> in bytes. If not specified, this attribute is set to 8192 (8 KB)."
>>>> This does not explain possible values. Can you give me an actual
>>>> number
>>> for
>>>> the maximum?
>>>
>>> See above.
>>>
>>> The theoretical maximum is so far above any sensible value there is
>>> not much point documenting it.
>>>
>>>> Also I saw in this article:
>>>>
>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom
>>> munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tomc
>>> at-url-string&data=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152b
>>> ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C
>>> 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
>>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I6
>>> %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3D&reserved=0
>>>>
>>>> " A value of less than 0 means no limit."
>>>
>>> That text is copied directly from the Tomcat documentation and is
>>> part of the description for maxParameterCount, not maxHttpHeaderSize.
>>> What makes you think it might apply to maxHttpHeaderSize?
>>>
>>> Mark
>>>
>>>
>>>>
>>>>
>>>> On Wed, May 25, 2022 at 10:19 AM Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 25/05/2022 09:51, Aditya Kumar wrote:
>>>>>> Hi
>>>>>>
>>>>>> I'm using Tomcat 9.0.46 and I want to know what is the maximum
>>>>>> possible value for maxHttpHeaderSize
>>>>>
>>>>> Integer.MAX_VALUE
>>>>>
>>>>>> I have Tomcat setup using kerberos authentication and for some
>>>>>> users
>>> the
>>>>>> Authorisation header is too large (too many AD groups).
>>>>>>
>>>>>> I have seen various articles when googling but I want something
>>>>>> from official documentation to state what the possible values for
>>>>>> this field are. Is it true that setting a value of "-1" causes a
>>>>>> limitless maximum header size value?
>>>>>
>>>>> Where did you read that? I don't see that in the documentation.
>>>>>
>>>>> Mark
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org