Limiting Form Content

Forms can be a vector for denial-of-service attacks, like explained in this section of the Programming Guide.

Configuring Form Limits for a Web Application

To configure the form limits for a Jakarta EE web application, the WebAppContext instance can be configured from a Jetty context XML file or from a WEB-INF/jetty-ee{8,9,10,11}-web.xml file:

<Configure class="org.eclipse.jetty.ee11.webapp.WebAppContext">
  ...
  <Set name="maxFormContentSize">200000</Set>
  <Set name="maxFormKeys">200</Set>
</Configure>

Setting the form limits can also be done, for both Jakarta EE web applications and Jetty Core web applications, by setting the following Context attributes.

  • org.eclipse.jetty.server.Request.maxFormKeys

  • org.eclipse.jetty.server.Request.maxFormContentSize

For Jakarta EE web applications, these attributes can be set in web.xml via the <context-param> element.

For Jakarta EE and Jetty web applications, these attributes can be set in the Jetty context XML file.

For Jakarta EE web applications:

<Configure class="org.eclipse.jetty.ee11.webapp.WebAppContext">
  ...
  <Call name="setAttribute">
    <Arg>org.eclipse.jetty.server.Request.maxFormKeys</Arg>
    <Arg>128</Arg>
  </Call>
</Configure>

For Jetty Core web applications:

<Configure class="org.eclipse.jetty.coreapp.CoreAppContext">
  ...
  <Call name="setAttribute">
    <Arg>org.eclipse.jetty.server.Request.maxFormKeys</Arg>
    <Arg>128</Arg>
  </Call>
</Configure>