Discussion:
URL Exceeding maxHttpHeaderSize
glau_pldm
2010-05-26 22:31:10 UTC
Permalink
I'm running tests against a web app running in Tomcat and I was asked to test
extremely long URL query strings. I've read servers should throw HTTP
status 414 if the header size is too long however whenever I make the call
to Tomcat there is no response; ideally I would like it to return a 414
error. I have my http connector configured with maxHttpHeaderSize="8192"
--
View this message in context: http://old.nabble.com/URL-Exceeding-maxHttpHeaderSize-tp28687322p28687322.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Christopher Schultz
2010-05-27 16:58:46 UTC
Permalink
To whom it may concern,
Post by glau_pldm
I'm running tests against a web app running in Tomcat and I was asked
to test extremely long URL query strings. I've read servers should
throw HTTP status 414 if the header size is too long however whenever
I make the call to Tomcat there is no response
What does happen? Does the connection hang and finally time out? Do you
get any information in the log files?

Note that 414 is restricted to "Request-URI Too Long" and not the header
itself. 413 would probably be a better response for "too much header
information".

What size Request-URI are you trying to send? An example would really
help. So would your exact version of Tomcat.
Post by glau_pldm
ideally I would like it to return a 414 error. I have my http
connector configured with maxHttpHeaderSize="8192"
Can you post the rest of your <Connector> configuration, too?

- -chris
glau_pldm
2010-05-27 17:37:27 UTC
Permalink
Here is my connector configuration:

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxHttpHeaderSize="8192" />

I'm using Tomcat 6.0.14

The connection doesn't hang but the reply is empty. Here is the detailed
output from cURL:
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
* Closing connection #0

I tested a few URI lengths. First I tested a URI around 7K in length but
under 8K, which worked. Then I tested a URI slightly above 8K and that did
not work. When I change the connector to allow a larger HTTP header size of
16k then 8K works as expected.

I'm wondering if this behavior can be reproduced on another Tomcat deploy or
if this behavior is localized to my configuration.
Post by Christopher Schultz
What does happen? Does the connection hang and finally time out? Do you
get any information in the log files?
What size Request-URI are you trying to send? An example would really
help. So would your exact version of Tomcat.
Can you post the rest of your <Connector> configuration, too?
- -chris
--
View this message in context: http://old.nabble.com/URL-Exceeding-maxHttpHeaderSize-tp28687322p28697519.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Christopher Schultz
2010-05-27 20:55:32 UTC
Permalink
To whom it may concern,
Post by glau_pldm
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxHttpHeaderSize="8192" />
I'm using Tomcat 6.0.14
The connection doesn't hang but the reply is empty.
So, it looks like Tomcat just closes the connection in that case.
Post by glau_pldm
Here is the detailed
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
* Closing connection #0
That's not particularly helpful, unfortunately. The fact that you're not
getting a timeout is useful, though.
Post by glau_pldm
I tested a few URI lengths. First I tested a URI around 7K in length but
under 8K, which worked. Then I tested a URI slightly above 8K and that did
not work. When I change the connector to allow a larger HTTP header size of
16k then 8K works as expected.
I'm wondering if this behavior can be reproduced on another Tomcat deploy or
if this behavior is localized to my configuration.
Would you mind upgrading to the latest 6.0.x release (it's currently
6.0.26... your version is nearly 3 years old) and trying again? If this
problem still exists, you'll need to upgrade to get a fix for it, anyway.

- -chris
glau_pldm
2010-05-27 21:45:04 UTC
Permalink
Thanks for the help. Using the latest release fixed the empty response; it
doesn't return a 414 but at least it now returns a 400 bad request. It
isn't a big deal though as our front facing Apache HTTP server does return
414, I just wanted to make sure my testing was thorough.

I didn't realize the large amount of time between the point releases;
unfortunately the .14 release is included by default on our dev machines.
Thanks again for the help.
Post by Christopher Schultz
So, it looks like Tomcat just closes the connection in that case.
That's not particularly helpful, unfortunately. The fact that you're not
getting a timeout is useful, though.
Would you mind upgrading to the latest 6.0.x release (it's currently
6.0.26... your version is nearly 3 years old) and trying again? If this
problem still exists, you'll need to upgrade to get a fix for it, anyway.
- -chris
--
View this message in context: http://old.nabble.com/URL-Exceeding-maxHttpHeaderSize-tp28687322p28700228.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Christopher Schultz
2010-05-28 13:49:23 UTC
Permalink
To whom it may concern,
Post by glau_pldm
Thanks for the help. Using the latest release fixed the empty response; it
doesn't return a 414 but at least it now returns a 400 bad request.
Would you mind filing a bug against Tomcat? It really should be
returning 413 or 414 as appropriate. Can you write a test that should
generate a 414 (with a huge Request-URI) and one with more than
maxHttpHeaderSize bytes (obviously, you can set this to something
semi-low to trigger it), say, by sending lots of headers?

Thanks,
- -chris

Loading...