Merge pull request #43 from FusionAuth/degroff/config_max_request_size

Add additional configuration for max post, max overall request body, max header sizes

Author: robotdan

README.md

@@ -2,7 +2,7 @@
 
 ### Latest versions
 
-* Latest stable version: `1.2.0`
+* Latest stable version: `1.3.0`
    * Now with 100% more virtual threads!
 * Prior stable version `0.3.7` 
 
@@ -27,20 +27,20 @@ To add this library to your project, you can include this dependency in your Mav
 <dependency>
   <groupId>io.fusionauth</groupId>
   <artifactId>java-http</artifactId>
-  <version>1.2.0</version>
+  <version>1.3.0</version>
 </dependency>
 ```
 
 If you are using Gradle, you can add this to your build file:
 
 ```groovy
-implementation 'io.fusionauth:java-http:1.2.0'
+implementation 'io.fusionauth:java-http:1.3.0'
 ```
 
 If you are using Savant, you can add this to your build file:
 
 ```groovy
-dependency(id: "io.fusionauth:java-http:1.2.0")
+dependency(id: "io.fusionauth:java-http:1.3.0")
 ```
 
 ## Examples Usages:

build.savant

@@ -18,7 +18,7 @@ restifyVersion = "4.2.1"
 slf4jVersion = "2.0.17"
 testngVersion = "7.11.0"
 
-project(group: "io.fusionauth", name: "java-http", version: "1.2.0", licenses: ["ApacheV2_0"]) {
+project(group: "io.fusionauth", name: "java-http", version: "1.3.0", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

java-http.ipr

@@ -9,6 +9,10 @@
       <option name="addBlankAfter" value="false" />
     </LanguageOptions>
   </component>
+  <component name="GitScope">
+    <option name="currentTabIndex" value="1" />
+    <option name="modelData" value="[{&quot;targetBranchMap&quot;:{&quot;value&quot;:{&quot;/Users/bpontarelli/dev/inversoft/fusionauth/java-http&quot;:&quot;HEAD~5&quot;}},&quot;customTabName&quot;:&quot;HEAD~5&quot;}]" />
+  </component>
   <component name="InspectionProjectProfileManager">
     <profile version="1.0">
       <option name="myName" value="Project Default" />
@@ -1409,31 +1413,6 @@
   <component name="ProjectRootManager" version="2" languageLevel="JDK_21" default="true" project-jdk-name="Java 21" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
   </component>
-  <component name="ProjectRunConfigurationManager">
-    <configuration default="true" type="TestNG">
-      <shortenClasspath name="NONE" />
-      <useClassPathOnly />
-      <option name="SUITE_NAME" value="" />
-      <option name="PACKAGE_NAME" value="" />
-      <option name="MAIN_CLASS_NAME" value="" />
-      <option name="GROUP_NAME" value="" />
-      <option name="TEST_OBJECT" value="CLASS" />
-      <option name="VM_PARAMETERS" value="-ea --add-exports java.base/sun.security.x509=ALL-UNNAMED --add-exports java.base/sun.security.util=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED" />
-      <option name="PARAMETERS" value="" />
-      <option name="OUTPUT_DIRECTORY" value="" />
-      <option name="TEST_SEARCH_SCOPE">
-        <value defaultName="moduleWithDependencies" />
-      </option>
-      <option name="PROPERTIES_FILE" value="" />
-      <properties />
-      <listeners>
-        <listener class="io.fusionauth.http.BaseTest$TestListener" />
-      </listeners>
-      <method v="2">
-        <option name="Make" enabled="true" />
-      </method>
-    </configuration>
-  </component>
   <component name="VcsDirectoryMappings">
     <mapping directory="$PROJECT_DIR$" vcs="Git" />
   </component>
@@ -1450,4 +1429,4 @@
       </SOURCES>
     </library>
   </component>
-</project>
+</project>

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>io.fusionauth</groupId>
   <artifactId>java-http</artifactId>
-  <version>1.2.0</version>
+  <version>1.3.0</version>
   <packaging>jar</packaging>
 
   <name>Java HTTP library (client and server)</name>

src/main/java/io/fusionauth/http/RequestHeadersTooLargeException.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2025, FusionAuth, All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+package io.fusionauth.http;
+
+/**
+ * Thrown when the request headers exceeds the total configured maximum size.
+ *
+ * @author Daniel DeGroff
+ */
+public class RequestHeadersTooLargeException extends HTTPProcessingException {
+  public long maximumRequestHeadersSize;
+
+  public RequestHeadersTooLargeException(long maximumRequestHeadersSize, String detailedMessage) {
+    super(431, "Request Header Fields Too Large", detailedMessage);
+    this.maximumRequestHeadersSize = maximumRequestHeadersSize;
+  }
+}

src/main/java/io/fusionauth/http/io/MultipartConfiguration.java

@@ -30,9 +30,9 @@ public class MultipartConfiguration {
 
   private long maxFileSize = 1024 * 1024; // 1 Megabyte
 
-  private long maxRequestSize = 10 * 1024 * 1024; // 10 Megabyte
+  private long maxRequestSize = 10 * 1024 * 1024; // 10 Megabytes
 
-  private int multipartBufferSize = 8 * 1024; // 8 Kilobyte
+  private int multipartBufferSize = 8 * 1024; // 8 Kilobytes
 
   private String temporaryFileLocation = System.getProperty("java.io.tmpdir");
 

src/main/java/io/fusionauth/http/io/PushbackInputStream.java

@@ -38,7 +38,6 @@ public class PushbackInputStream extends InputStream {
 
   private int bufferPosition;
 
-
   public PushbackInputStream(InputStream delegate, Instrumenter instrumenter) {
     this.delegate = delegate;
     this.instrumenter = instrumenter;

src/main/java/io/fusionauth/http/server/Configurable.java

@@ -17,6 +17,7 @@
 
 import java.nio.file.Path;
 import java.time.Duration;
+import java.util.Map;
 
 import io.fusionauth.http.io.MultipartConfiguration;
 import io.fusionauth.http.log.LoggerFactory;
@@ -48,7 +49,7 @@ default T withBaseDir(Path baseDir) {
   }
 
   /**
-   * Sets the buffer size for the chunked input stream. Defaults to 4k.
+   * Sets the buffer size for the chunked input stream. Defaults to 4 Kilobytes.
    *
    * @param chunkedBufferSize the buffer size used to read a request body that was encoded using 'chunked' transfer-encoding.
    * @return This.
@@ -184,6 +185,52 @@ default T withMaxPendingSocketConnections(int maxPendingSocketConnections) {
     return (T) this;
   }
 
+  /**
+   * Sets the maximum size of the HTTP request body by Content-Type. If this limit is exceeded, the connection will be closed.
+   * <p>
+   * The default size is identified by the "*" key. This default value will be used if a more specific value has not been configured for the
+   * requested Content-Type.
+   * <p>
+   * You may also use wildcards to match one to many subtypes. For example, "application/*" will provide a max size for all content types
+   * beginning with application/ when an exact match has not been configured.
+   * <p>
+   * An example lookup for the Content-Type "application/x-www-form-urlencoded" is:
+   * <ol>
+   *   <li>application/x-www-form-urlencoded</li>
+   *   <li>application/*</li>
+   *   <li>*</li>
+   * </ol>
+   * <p>
+   * If the provided configuration does not contain the initial default identified by the "*" key, the server default value will be retained.
+   * key.
+   * <p>
+   * Set any value to -1 to disable this limitation.
+   * <p>
+   * Defaults to 128 Megabytes for the default "*" and 10 Megabytes for "application/x-www-form-urlencoded".
+   *
+   * @param maxRequestBodySize a map specifying the maximum size in bytes for the HTTP request body by Content-Type
+   * @return This.
+   */
+  default T withMaxRequestBodySize(Map<String, Integer> maxRequestBodySize) {
+    configuration().withMaxRequestBodySize(maxRequestBodySize);
+    return (T) this;
+  }
+
+  /**
+   * Sets the maximum size of the HTTP request header. The request header includes the HTTP request line, and all HTTP request headers,
+   * essentially everything except the request body. If this maximum limit is exceeded, the connection will be closed. Defaults to 128
+   * Kilobytes.
+   * <p>
+   * Set this to -1 to disable this limitation.
+   *
+   * @param maxRequestHeaderSize the maximum size in bytes for the HTTP request header
+   * @return This.
+   */
+  default T withMaxRequestHeaderSize(int maxRequestHeaderSize) {
+    configuration().withMaxRequestHeaderSize(maxRequestHeaderSize);
+    return (T) this;
+  }
+
   /**
    * Sets the base directory for this server. This is passed to the HTTPContext, which is available from this class. This defaults to the
    * current working directory of the process. Defaults to 100,000.
@@ -197,7 +244,8 @@ default T withMaxRequestsPerConnection(int maxRequestsPerConnection) {
   }
 
   /**
-   * This configures the maximum size of a chunk in the response when the server is using chunked response encoding. Defaults to 16k.
+   * This configures the maximum size of a chunk in the response when the server is using chunked response encoding. Defaults to 16
+   * Kilobytes.
    *
    * @param size The size in bytes.
    * @return This.
@@ -209,7 +257,7 @@ default T withMaxResponseChunkSize(int size) {
 
   /**
    * Sets the maximum number of bytes the server will allow worker threads to drain after calling the request handler. If the request
-   * handler does not read all the bytes, and this limit is exceeded the connection will be closed. Defaults to 128k bytes.
+   * handler does not read all the bytes, and this limit is exceeded the connection will be closed. Defaults to 128 Kilobytes bytes.
    *
    * @param maxBytesToDrain The maximum number of bytes to drain from the InputStream if the request handler did not read all the available
    *                        bytes.
@@ -245,7 +293,7 @@ default T withMinimumWriteThroughput(long bytesPerSecond) {
   }
 
   /**
-   * Sets the size of the buffer that is used to process the multipart request body. This defaults to 16k.
+   * Sets the size of the buffer that is used to process the multipart request body. This defaults to 16 Kilobytes.
    *
    * @param multipartBufferSize The size of the buffer.
    * @return This.
@@ -297,7 +345,7 @@ default T withReadThroughputCalculationDelayDuration(Duration duration) {
   }
 
   /**
-   * Sets the size of the buffer that is used to process the HTTP request. This defaults to 16k.
+   * Sets the size of the buffer that is used to process the HTTP request. This defaults to 16 Kilobytes.
    *
    * @param requestBufferSize The size of the buffer.
    * @return This.
@@ -310,9 +358,11 @@ default T withRequestBufferSize(int requestBufferSize) {
   /**
    * Sets the size of the buffer that is used to store the HTTP response before any bytes are written back to the client. This is useful
    * when the server is generating the response but encounters an error. In this case, the server will throw out the response and change to
-   * a 500 error response. This defaults to 64k. Negative values disable the response buffer.
+   * a 500 error response. This defaults to 64 Kilobytes. Negative values disable the response buffer.
+   * <p>
+   * Set to -1 do disable buffering completely.
    *
-   * @param responseBufferSize The size of the buffer. Set to -1 to disable buffering completely.
+   * @param responseBufferSize The size of the buffer.
    * @return This.
    */
   default T withResponseBufferSize(int responseBufferSize) {

src/main/java/io/fusionauth/http/server/HTTPRequest.java

@@ -362,7 +362,7 @@ public Map<String, List<String>> getFormData() {
       String contentType = getContentType();
       if (contentType != null && contentType.equalsIgnoreCase(ContentTypes.Form)) {
         byte[] body = getBodyBytes();
-        HTTPTools.parseEncodedData(body, 0, body.length, formData);
+        HTTPTools.parseEncodedData(body, 0, body.length, getCharacterEncoding(), formData);
       } else if (isMultipart()) {
         try {
           multipartStreamProcessor.process(inputStream, formData, files, multipartBoundary.getBytes());
@@ -801,15 +801,12 @@ private void decodeHeader(String name, String value) {
             }
           }
         } else {
+          this.host = value;
           if ("http".equalsIgnoreCase(scheme)) {
             this.port = 80;
-          }
-          else if ("https".equalsIgnoreCase(scheme)) {
+          } else if ("https".equalsIgnoreCase(scheme)) {
             this.port = 443;
-          } else {
-            // fallback, intentionally do nothing
           }
-          this.host = value;
         }
         break;
     }