Enforce ServerConfiguration bulk and filter limits in the request path#1125
Merged
bdemers merged 1 commit intoMay 31, 2026
Merged
Conversation
The bulkMaxOperations, bulkMaxPayloadSize, and filterMaxResults values from ServerConfiguration were advertised in /ServiceProviderConfig but never applied to incoming requests. They are now enforced: - bulkMaxOperations: BulkResourceImpl.doBulk rejects a request that contains more operations than the configured limit with HTTP 413 before any operation runs (and before the dependency graph is built). - bulkMaxPayloadSize: BulkPayloadSizeFilter, bound to POST /Bulk by BulkPayloadSizeDynamicFeature, wraps the request entity stream in a LimitingInputStream that counts bytes as the parser reads them and raises BulkPayloadTooLargeException once the limit is exceeded, without buffering the body. The default is raised from 1024 to 2097152 bytes. - filterMaxResults: BaseResourceTypeResourceImpl.find clamps the page request count to the configured ceiling before querying the repository, covering both the GET query and POST .search paths. totalResults still reports the real match count. 413 responses carry scimType "tooMany" and state the maximum, per RFC 7644 section 3.7.4. The new providers are registered in ScimResourceHelper, and unit tests cover each limit, the streaming payload check, and the error mapper.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
bulkMaxOperations,bulkMaxPayloadSize, andfilterMaxResultsvalues onServerConfigurationwere advertised in/ServiceProviderConfigbut never applied toincoming requests. This change enforces all three in the
scim-serverrequest path.bulkMaxOperations—BulkResourceImpl.doBulkrejects a request containing moreoperations than the configured limit with HTTP 413 before any operation runs (and before
the dependency graph is built).
bulkMaxPayloadSize—BulkPayloadSizeFilter, bound toPOST /BulkbyBulkPayloadSizeDynamicFeature, wraps the request entity stream in aLimitingInputStreamthat counts bytes as the parser reads them and raises
BulkPayloadTooLargeExceptiononcethe limit is exceeded — the body is never buffered. The default is raised from 1024 to
2097152 bytes.
filterMaxResults—BaseResourceTypeResourceImpl.findclamps the page-request countto the configured ceiling before querying the repository, covering both the
GETquery andPOST .searchpaths.totalResultsstill reports the real match count.413 responses carry
scimType: "tooMany"and state the maximum, per RFC 7644 section 3.7.4.The new providers are registered in
ScimResourceHelper. Thesupports*capability flags areleft as advertisements only (no access-control behavior added).
Tests
streaming/limit boundaries, the error mapper, and result clamping on both query paths
including non-default configuration, null/zero/negative counts, and the disabled (
<= 0) case../mvnw clean verify -Pcipasses end to end (PMD, SpotBugs, Checkstyle, RAT, and the exampleserver integration tests across Jersey, Jersey 4, Quarkus, Spring Boot, and the in-memory
Testcontainers
ContainerIT).