Class ParameterLimitValve
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.valves.ParameterLimitValve
- All Implemented Interfaces:
MBeanRegistration,Contained,JmxEnabled,Lifecycle,Valve
This is a concrete implementation of
ValveBase that enforces a limit on the number of HTTP request
parameters. The features of this implementation include:
- URL-specific parameter limits that can be defined using regular expressions
- Configurable through Tomcat's
server.xmlorcontext.xml - Requires a
parameter_limit.configfile containing the URL-specific parameter limits. It must be placed in the Host configuration folder or in the WEB-INF folder of the web application.
The default limit, specified by Connector's value, applies to all requests unless a more specific URL pattern is
matched. URL patterns and their corresponding limits can be configured via a regular expression mapping through the
urlPatternLimits attribute.
The Valve checks each incoming request and enforces the appropriate limit. If a request exceeds the allowed number of
parameters, a 400 Bad Request response is returned.
Example, configuration in context.xml:
<Context> <Valve className="org.apache.catalina.valves.ParameterLimitValve" </Context>and inparameter_limit.config:
/api/.*=150
/admin/.*=50
The configuration allows for flexible control over different sections of your application, such as applying higher limits for API endpoints and stricter limits for admin areas.
- Author:
- Dimitris Soumis
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected booleanWill be set to true if the valve is associated with a context.protected StringRelative path to the configuration file.Map for URL-specific limitsFields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next, smFields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidSub-classes implement this method to perform any instance initialisation required.voidChecks if any of the defined patterns matches the URI of the request and if it does, enforces the corresponding parameter limit for the request.voidsetResourcePath(String resourcePath) voidsetUrlPatternLimits(BufferedReader reader) Set the mapping of URL patterns to their corresponding parameter limits.voidsetUrlPatternLimits(String urlPatternConfig) protected voidStart this component and implement the requirements ofLifecycleBase.startInternal().protected voidStop this component and implement the requirements ofLifecycleBase.stopInternal().Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, isAsyncSupported, setAsyncSupported, setContainer, setNext, toStringMethods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregisterMethods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
urlPatternLimits
-
resourcePath
Relative path to the configuration file. Note: If the valve's container is a context, this will be relative to /WEB-INF/. -
context
protected boolean contextWill be set to true if the valve is associated with a context.
-
-
Constructor Details
-
ParameterLimitValve
public ParameterLimitValve()
-
-
Method Details
-
getResourcePath
-
setResourcePath
-
initInternal
Description copied from class:LifecycleBaseSub-classes implement this method to perform any instance initialisation required.- Overrides:
initInternalin classValveBase- Throws:
LifecycleException- If the initialisation fails
-
startInternal
Description copied from class:ValveBaseStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
startInternalin classValveBase- Throws:
LifecycleException- if this component detects a fatal error that prevents this component from being used
-
setUrlPatternLimits
-
setUrlPatternLimits
Set the mapping of URL patterns to their corresponding parameter limits. The input should be provided line by line, where each line contains a pattern and a limit, separated by the last '='.Example:
/api/.*=50 /api======/.*=150 /urlEncoded%20api=2 # This is a comment
- Parameters:
reader- A BufferedReader containing URL pattern to parameter limit mappings, with each pair on a separate line.
-
stopInternal
Description copied from class:ValveBaseStop this component and implement the requirements ofLifecycleBase.stopInternal().- Overrides:
stopInternalin classValveBase- Throws:
LifecycleException- if this component detects a fatal error that prevents this component from being used
-
invoke
Checks if any of the defined patterns matches the URI of the request and if it does, enforces the corresponding parameter limit for the request. Then invoke the next Valve in the sequence.- Parameters:
request- The servlet request to be processedresponse- The servlet response to be created- Throws:
IOException- if an input/output error occursServletException- if a servlet error occurs
-