Enhancement request
Currently, FormContentFilter (org.springframework.web.filter) automatically parses request parameters if a payload is present and the HTTP method is PUT, PATCH, or DELETE.
The Problem:
This parsing occurs early in the filter chain, before request routing takes place. If a request is sent to a non-existent endpoint, it will ultimately fail with a 404 Not Found error. Consequently, the CPU cycles and memory used to parse the form data are entirely wasted. For high-traffic applications or services targeted by automated scanners, this creates unnecessary performance overhead.
How to improve:
Defer form content parsing until after the request has been successfully routed to a valid handler, ensuring that 404 requests fail fast without consuming parsing resources.
Read world example:
When application is scanned for security issues application throws errors like
Could not decode HTTP form payload
org.springframework.http.converter.HttpMessageNotReadableException: Could not decode HTTP form payload
at org.springframework.http.converter.FormHttpMessageConverter.read(FormHttpMessageConverter.java:367)
at org.springframework.web.filter.FormContentFilter.parseIfNecessary(FormContentFilter.java:109)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142)
at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:110)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142)
And request was made to endpoint which does not exists (path was /poc.jsp) with PUT method.
Enhancement request
Currently,
FormContentFilter(org.springframework.web.filter) automatically parses request parameters if a payload is present and the HTTP method is PUT, PATCH, or DELETE.The Problem:
This parsing occurs early in the filter chain, before request routing takes place. If a request is sent to a non-existent endpoint, it will ultimately fail with a 404 Not Found error. Consequently, the CPU cycles and memory used to parse the form data are entirely wasted. For high-traffic applications or services targeted by automated scanners, this creates unnecessary performance overhead.
How to improve:
Defer form content parsing until after the request has been successfully routed to a valid handler, ensuring that 404 requests fail fast without consuming parsing resources.
Read world example:
When application is scanned for security issues application throws errors like
And request was made to endpoint which does not exists (path was /poc.jsp) with PUT method.