RE: Re: controlling the max form size to protect against DoS attacks
For anyone else who comes across this later, the solution was as Thierry suggested, however, we needed to use a custom BoundedInputStream which would throw a ResourceException when the max length was exceeded. Filter filter = new Filter(getContext(), router) { @Override protected int beforeHandle(Request request, Response response) { Series params = (Series) request.getAttributes().get("org.restlet.http.headers"); long length = HeaderUtils.getContentLength(params); if (length != Representation.UNKNOWN_SIZE && length > MAX_CONTENTS_LENGTH) { // TODO: report your error here return STOP; } if (request.isEntityAvailable()) { request.setEntity(new WrapperRepresentation(request.getEntity()) { @Override public InputStream getStream() throws IOException { InputStream result = super.getStream(); if (result != null) { result = new BoundedInputStream(result, MAX_CONTENTS_LENGTH); // TODO: this is our implementation which throws ResourceException when limit is exceeded } return result; } @Override public String getText() throws IOException { return BioUtils.toString(getStream(), getCharacterSet()); } }); } return super.beforeHandle(request, response); } }; -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3031171
RE: Re: controlling the max form size to protect against DoS attacks
Thanks, we'll give that a try. Silently preventing reading the extra bytes will be an issue for us, but perhaps we can just roll our own so that an error is returned. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3030884
Re: controlling the max form size to protect against DoS attacks
Hello Shaun, I've entered a new issue for that: https://github.com/restlet/restlet-framework-java/issues/687. It is related to this one: https://github.com/restlet/restlet-framework-java/issues/67 I think that the idea is to wrap the stream of the Representation in order to count the number of read bytes. You can for example use a Filter set up in front of the root Restlet of the Restlet based application This sample code leverages the BoundedInputStream class (of org.apache.commons.io), which silently (which may not be convenient for you) prevent from reading extra bytes. @Override public Restlet createInboundRoot() { Router router = new Router(getContext()); [... definition of the router] // filter the root router. Filter filter = new Filter(getContext(), router) { @Override protected int beforeHandle(Request request, Response response) { if (request.isEntityAvailable()) { request.setEntity(new WrapperRepresentation(request.getEntity()) { public InputStream getStream() throws IOException { InputStream result = super.getStream(); if (result != null) { result = new BoundedInputStream(result, 2); } return result; }; public String getText() throws IOException { return BioUtils.toString(getStream(), getCharacterSet()); }; }); } return super.beforeHandle(request, response); } }; return filter; } I'm not sure it will be easy to inherit from httpServerHelper, adn I'm not sure the property "maxFormContentSize" can be used in this context. Best regards, Thierry Boileau Hi, > > Does Restlet expose a way to reject incoming requests which are too large? > We are using Restlet on Jetty, and Jetty exposes this feature via the > maxFormContentSize property ( > http://wiki.eclipse.org/Jetty/Howto/Configure_Form_Size), but I cant find > a way to set this through Restlet. > > Do I have to create an extension to HttpServerHelper that overrides > configure() to do this? > > -- > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3029864 > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3030179
controlling the max form size to protect against DoS attacks
Hi, Does Restlet expose a way to reject incoming requests which are too large? We are using Restlet on Jetty, and Jetty exposes this feature via the maxFormContentSize property (http://wiki.eclipse.org/Jetty/Howto/Configure_Form_Size), but I cant find a way to set this through Restlet. Do I have to create an extension to HttpServerHelper that overrides configure() to do this? -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3029864