-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for form limits & improve configuration via context attributes #12560
base: jetty-12.0.x
Are you sure you want to change the base?
Conversation
… attributes Signed-off-by: Lachlan Roberts <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a similar security
directory in the operations guide.
There, make a similar section titled "Limiting Form Content" (same title), that points to that of the programming guide for example:
Forms can be a vector for denial-of-service attacks, like explained in xref:...[this section].
Then proceed to explain operation-guide specific configuration.
We should have these form limits as a Jetty module properties, and if we don't already, we should add them.
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
...es/code/examples/src/main/java/org/eclipse/jetty/docs/programming/security/FormSizeDocs.java
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
documentation/jetty/modules/programming-guide/pages/security/configuring-form-size.adoc
Outdated
Show resolved
Hide resolved
jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/WebAppContext.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could simplify the dump by just adding a bean to dump the extra info from a WebApp, rather than override dump again and repeat.
Perhaps a bit outside the scope of this PR?
Dumpable.named("maxFormKeys ", getMaxFormKeys()), | ||
Dumpable.named("maxFormContentSize ", getMaxFormContentSize()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move down in the dump to be after the attributes
@@ -987,6 +988,8 @@ else if (getBaseResource() != null) | |||
name = String.format("%s@%x", name, hashCode()); | |||
|
|||
dumpObjects(out, indent, | |||
Dumpable.named("maxFormKeys ", getMaxFormKeys()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than override dump and have to repeat the stuff from the base class, why don't we just add all these Dumpable collections as beans the the context and let the normal dump mechanism dump them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or better yet, add one Dumpable webapp bean, that dumps all these extra details
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opened a separate issue for this (see #12655).
As its outside the scope of this documentation PR.
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make it clear that the attributes apply to both core and webapp contexts. For core applications you should reference FormFields#onFielda and that the limits can be passed in there, else they are taken from context or server attributes.
FormFields.from
already reads this configuration from context attributes, but this PR makes it so that those context attributes delegate to setting the equivalent fields onContextHandler
.maxFormKeys
andmaxFormContentSize
to the dump.replaces #12232