max-post-size strikes again
keeper32 Aug 15, 2018 1:44 PMHi there,
I've a chicken-and-egg problem in a JSF2.2 / EAP7 / WildFly application, both using h:input file or o:inputfile for file upload.
Unfortunately the already answered questions does not solve it. Let's see why.
What is asked:
- The user uploads a file.
- If the file size is bigger than 2Mb the user should receive a warning and may try again.
What I've done so far:
- Application code does check for 2Mb limit, warning if file is too big.
- Set Web-Undertow max-post-size = 26214400 (2mb) in server console.
When it goes well:
-User uploads a file smaller than 2mb: The file is properly uploaded.
When it goes weird:
- User uploads a file over 2Mb: Undertow throws a UT000020 error, user gets a generic 'connection has been reset' browser screen and the app is never notified.
I've tried to:
- Set max-post-size set to 5Mb and upload a file between 2 and 5Mb: The app receives the oversized file and display a warning as expected. Sending a file above 5mb results in a UT000020 error.
- If I set max-post-size to 0: Application works flawlessly, but if the user uploads a 2Gb file this can lead to all sort of problems, including denial-of-service or out-of-memory errors.
How can I mantain user experience without sacrificing security?
Best regards,
Marcelo.
Bonus time:
UT000020 2Mb error stack trace:
13:37:35,819 ERROR [io.undertow.request] (default task-100) UT005023: Exception handling request to /upload/views/index.xhtml: javax.servlet.ServletException: java.io.IOException: UT000020:
Connection terminated as request was larger than 26214400
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:671)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)