Recent versions of Tomcat 11.0.8 and 10.1.42 introduced new system properties, namely maxPartCount and maxPartHeaderSize.
Please provide the properties for configuration though an application.properties file.
Comment From: wilkinsona
Thanks for pointing these out.
Until the properties have been added, you can configure these settings using a TomcatConnectorCustomizer:
@Bean
TomcatConnectorCustomizer connectorCustomizer() {
return (connector) -> {
connector.setMaxPartCount(10);
connector.setMaxPartHeaderSize(1024);
};
}
Comment From: 123Haynes
@wilkinsona Please note that the new, enforced default values of these properties are a breaking change for some applications.
Before there was no limit on Partcount and Headersize.
It broke 2 of my more complex apps when I updated to Tomcat 10.1.42.
Unfortunately without any error messages from tomcat.
I think this should be at least mentioned in the release notes 😃
Comment From: wilkinsona
@123Haynes Apologies for the breakage. I believe that the Tomcat team are reviewing the new defaults.
Comment From: 123Haynes
@wilkinsona oh no need to apologise 😄
It's not a big deal once you know about it. I just wanted to give a headsup because this could break a lot of apps.
So when Spring Boot pulls in Tomcat 10.1.42 this should be mentioned in the release notes so people can adjust the values as necessary :)
Or if you want to restore the old behaviour, spring boot could set the default values to -1 (no limits) until the next major release 😄
Comment From: wilkinsona
I'd forgotten that we haven't yet released our upgrade to 10.1.42 😀. That's coming in next week's maintenance releases. Thanks for being ahead of the curve and bringing the possible problem to our attention.
Comment From: bsanchezb
Indeed, the issue with new limitation in the Tomcat is quite serious, especially when working with an external Tomcat instance. I have created a ticket at the Tomcat Bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 Feel free to complain so the issue gathers more attention, and maybe the team will review it.
Comment From: 123Haynes
Yes. I think what will break most apps is maxPartCount="10" as the new default.
This means if you have a form that uses enctype="multipart/form-data" and more than 10 form fields, the application will break.
Imho this is quite common if you have a fileupload in a form.
Also from my experience with my apps: If you use Angular with Primeng as your frontend and happen to go over the default limit, tomcat will not log any errors and even reply with HTTP 200 OK to requests, but some features like popups will simply stop working.
In other cases you will see a FileCountLimitExceededException.
After increasing the limits everything is working as expected again.