RE: [External] Re: Maximum header size in Tomcat 9
Thank you, Mark! -Original Message- From: Mark Thomas Sent: Thursday, May 26, 2022 6:10 AM To: users@tomcat.apache.org Subject: Re: [External] Re: Maximum header size in Tomcat 9 On 25/05/2022 16:21, Amit Pande wrote: > Hello Mark, > > Could we slightly update the description - to say that this size is total > size (in bytes)of all the request (and response) headers combined (including > the header name and values)? > In the past, I incorrectly assumed that this size limit applies for one > header value. > > maxHttpHeaderSize > The maximum size of the request and response HTTP header, specified in bytes. > If not specified, this attribute is set to 8192 (8 KB). Done. Mark > > Thanks, > Amit > > -Original Message- > From: Mark Thomas > Sent: Wednesday, May 25, 2022 6:16 AM > To: users@tomcat.apache.org > Subject: [External] Re: Maximum header size in Tomcat 9 > > On 25/05/2022 12:08, Aditya Kumar wrote: >> Thanks! Sorry I misread that article. >> >> So I suppose it's the same for maxHttpRequestHeaderSize and >> maxHttpResponseHeaderSize? > > Correct. > > Mark > > >> >> >> >> On Wed, May 25, 2022 at 10:45 AM Mark Thomas wrote: >> >>> On 25/05/2022 10:33, Aditya Kumar wrote: >>>> I'm sorry I'm not sure what you mean by Integer.MAX_VALUE? >>> >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo >>> c >>> s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html% >>> 2 >>> 3MAX_VALUEdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff >>> 0 >>> 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63 >>> 7 >>> 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi >>> V >>> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=pfV4 >>> K >>> ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3Dreserved=0 >>> >>>> Looking at >>>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft >>>> o >>>> mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.htmldata=05%7 >>>> C >>>> 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7C >>>> f >>>> c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkn >>>> o >>>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW >>>> w >>>> iLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=VXFY%2Bew8f1HxXiUYsyCmgiV >>>> D >>>> B%2FqQUJr4rhbB8LbZmkA%3Dreserved=0 >>> all I >>>> see is this:- >>>> "maxHttpHeaderSize >>>> >>>> The maximum size of the request and response HTTP header, specified >>>> in bytes. If not specified, this attribute is set to 8192 (8 KB)." >>>> This does not explain possible values. Can you give me an actual >>>> number >>> for >>>> the maximum? >>> >>> See above. >>> >>> The theoretical maximum is so far above any sensible value there is >>> not much point documenting it. >>> >>>> Also I saw in this article: >>>> >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fco >>> m >>> munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tom >>> c >>> at-url-stringdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152 >>> b >>> ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7 >>> C >>> 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI >>> j >>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=I >>> 6 >>> %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3Dreserved=0 >>>> >>>> " A value of less than 0 means no limit." >>> >>> That text is copied directly from the Tomcat documentation and is >>> part of the description for maxParameterCount, not maxHttpHeaderSize. >>> What makes you think it might apply to maxHttpHeaderSize? >>> >>> Mark >>> >>> >>>> >>>> >>>> On Wed, May 25, 2022 at 10:19 AM Mark Thomas wrote: >>>> >>>>> On 25/05/2022 09:51, Aditya Kumar wrote: >>>>>> Hi >>>>>> >>>>>> I'm using Tomcat 9.0.46 and I want to know what is the maximum >>>>>> possible value for
Re: [External] Re: Maximum header size in Tomcat 9
On 25/05/2022 16:21, Amit Pande wrote: Hello Mark, Could we slightly update the description - to say that this size is total size (in bytes)of all the request (and response) headers combined (including the header name and values)? In the past, I incorrectly assumed that this size limit applies for one header value. maxHttpHeaderSize The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB). Done. Mark Thanks, Amit -Original Message- From: Mark Thomas Sent: Wednesday, May 25, 2022 6:16 AM To: users@tomcat.apache.org Subject: [External] Re: Maximum header size in Tomcat 9 On 25/05/2022 12:08, Aditya Kumar wrote: Thanks! Sorry I misread that article. So I suppose it's the same for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize? Correct. Mark On Wed, May 25, 2022 at 10:45 AM Mark Thomas wrote: On 25/05/2022 10:33, Aditya Kumar wrote: I'm sorry I'm not sure what you mean by Integer.MAX_VALUE? https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html%2 3MAX_VALUEdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=pfV4K ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3Dreserved=0 Looking at https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.htmldata=05%7C 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7Cf c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkno wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw iLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=VXFY%2Bew8f1HxXiUYsyCmgiVD B%2FqQUJr4rhbB8LbZmkA%3Dreserved=0 all I see is this:- "maxHttpHeaderSize The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB)." This does not explain possible values. Can you give me an actual number for the maximum? See above. The theoretical maximum is so far above any sensible value there is not much point documenting it. Also I saw in this article: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tomc at-url-stringdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152b ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=I6 %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3Dreserved=0 " A value of less than 0 means no limit." That text is copied directly from the Tomcat documentation and is part of the description for maxParameterCount, not maxHttpHeaderSize. What makes you think it might apply to maxHttpHeaderSize? Mark On Wed, May 25, 2022 at 10:19 AM Mark Thomas wrote: On 25/05/2022 09:51, Aditya Kumar wrote: Hi I'm using Tomcat 9.0.46 and I want to know what is the maximum possible value for maxHttpHeaderSize Integer.MAX_VALUE I have Tomcat setup using kerberos authentication and for some users the Authorisation header is too large (too many AD groups). I have seen various articles when googling but I want something from official documentation to state what the possible values for this field are. Is it true that setting a value of "-1" causes a limitless maximum header size value? Where did you read that? I don't see that in the documentation. Mark --- -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Maximum header size in Tomcat 9
Hello Mark, Could we slightly update the description - to say that this size is total size (in bytes)of all the request (and response) headers combined (including the header name and values)? In the past, I incorrectly assumed that this size limit applies for one header value. maxHttpHeaderSize The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB). Thanks, Amit -Original Message- From: Mark Thomas Sent: Wednesday, May 25, 2022 6:16 AM To: users@tomcat.apache.org Subject: [External] Re: Maximum header size in Tomcat 9 On 25/05/2022 12:08, Aditya Kumar wrote: > Thanks! Sorry I misread that article. > > So I suppose it's the same for maxHttpRequestHeaderSize and > maxHttpResponseHeaderSize? Correct. Mark > > > > On Wed, May 25, 2022 at 10:45 AM Mark Thomas wrote: > >> On 25/05/2022 10:33, Aditya Kumar wrote: >>> I'm sorry I'm not sure what you mean by Integer.MAX_VALUE? >> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc >> s.oracle.com%2Fjavase%2F8%2Fdocs%2Fapi%2Fjava%2Flang%2FInteger.html%2 >> 3MAX_VALUEdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0 >> 402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637 >> 890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV >> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=pfV4K >> ul5InBqXlyW958TnV57bbZbe6F%2FrurIJqJ70xg%3Dreserved=0 >> >>> Looking at >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto >>> mcat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.htmldata=05%7C >>> 01%7CAmit.Pande%40veritas.com%7Ce18ae152bff0402dad6908da3e3ff7e3%7Cf >>> c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637890741724402644%7CUnkno >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw >>> iLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=VXFY%2Bew8f1HxXiUYsyCmgiVD >>> B%2FqQUJr4rhbB8LbZmkA%3Dreserved=0 >> all I >>> see is this:- >>> "maxHttpHeaderSize >>> >>> The maximum size of the request and response HTTP header, specified >>> in bytes. If not specified, this attribute is set to 8192 (8 KB)." >>> This does not explain possible values. Can you give me an actual >>> number >> for >>> the maximum? >> >> See above. >> >> The theoretical maximum is so far above any sensible value there is >> not much point documenting it. >> >>> Also I saw in this article: >>> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom >> munity.jaspersoft.com%2Fwiki%2Fhow-pass-big-number-values-apache-tomc >> at-url-stringdata=05%7C01%7CAmit.Pande%40veritas.com%7Ce18ae152b >> ff0402dad6908da3e3ff7e3%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C >> 637890741724402644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj >> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=I6 >> %2FHM6WSIVucDyEU17ENL0NGNbBDqtAEZ2snU6FFUF4%3Dreserved=0 >>> >>> " A value of less than 0 means no limit." >> >> That text is copied directly from the Tomcat documentation and is >> part of the description for maxParameterCount, not maxHttpHeaderSize. >> What makes you think it might apply to maxHttpHeaderSize? >> >> Mark >> >> >>> >>> >>> On Wed, May 25, 2022 at 10:19 AM Mark Thomas wrote: >>> >>>> On 25/05/2022 09:51, Aditya Kumar wrote: >>>>> Hi >>>>> >>>>> I'm using Tomcat 9.0.46 and I want to know what is the maximum >>>>> possible value for maxHttpHeaderSize >>>> >>>> Integer.MAX_VALUE >>>> >>>>> I have Tomcat setup using kerberos authentication and for some >>>>> users >> the >>>>> Authorisation header is too large (too many AD groups). >>>>> >>>>> I have seen various articles when googling but I want something >>>>> from official documentation to state what the possible values for >>>>> this field are. Is it true that setting a value of "-1" causes a >>>>> limitless maximum header size value? >>>> >>>> Where did you read that? I don't see that in the documentation. >>>> >>>> Mark >>>> >>>> --- >>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org