SpringBoot Expose new Tomcat properties maxPartCount and maxPartHeaderSize

Recent versions of Tomcat 11.0.8 and 10.1.42 introduced new system properties, namely maxPartCount and maxPartHeaderSize.

Please provide the properties for configuration though an application.properties file.

Comment From: wilkinsona

Thanks for pointing these out.

Until the properties have been added, you can configure these settings using a TomcatConnectorCustomizer:

@Bean
TomcatConnectorCustomizer connectorCustomizer() {
    return (connector) -> {
        connector.setMaxPartCount(10);
        connector.setMaxPartHeaderSize(1024);
    };
}

Comment From: 123Haynes

@wilkinsona Please note that the new, enforced default values of these properties are a breaking change for some applications.
Before there was no limit on Partcount and Headersize.
It broke 2 of my more complex apps when I updated to Tomcat 10.1.42.
Unfortunately without any error messages from tomcat.
I think this should be at least mentioned in the release notes 😃

Comment From: wilkinsona

@123Haynes Apologies for the breakage. I believe that the Tomcat team are reviewing the new defaults.

Comment From: 123Haynes

@wilkinsona oh no need to apologise 😄
It's not a big deal once you know about it. I just wanted to give a headsup because this could break a lot of apps.
So when Spring Boot pulls in Tomcat 10.1.42 this should be mentioned in the release notes so people can adjust the values as necessary :)
Or if you want to restore the old behaviour, spring boot could set the default values to -1 (no limits) until the next major release 😄

Comment From: wilkinsona

I'd forgotten that we haven't yet released our upgrade to 10.1.42 😀. That's coming in next week's maintenance releases. Thanks for being ahead of the curve and bringing the possible problem to our attention.

Comment From: bsanchezb

Indeed, the issue with new limitation in the Tomcat is quite serious, especially when working with an external Tomcat instance. I have created a ticket at the Tomcat Bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 Feel free to complain so the issue gathers more attention, and maybe the team will review it.

Comment From: 123Haynes

Yes. I think what will break most apps is maxPartCount="10" as the new default.
This means if you have a form that uses enctype="multipart/form-data" and more than 10 form fields, the application will break.
Imho this is quite common if you have a fileupload in a form.

Also from my experience with my apps: If you use Angular with Primeng as your frontend and happen to go over the default limit, tomcat will not log any errors and even reply with HTTP 200 OK to requests, but some features like popups will simply stop working.

In other cases you will see a FileCountLimitExceededException.

After increasing the limits everything is working as expected again.

Comment From: markt-asf

Now the CVE background to these Tomcat changes is public, some feedback on https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 would be helpful. The more input the Tomcat team has on that issue, the better decision they can make on where to strike the balance between maxPartCount and potential memory requirements for the default case.

Comment From: wilkinsona

Given the need for max part count and max part header size to be configurable with Tomcat 10.1.42, we're going to take care of this as part of Boot upgrading to that version of Tomcat (#45869, #45870, #45872).

Comment From: Icke1234

@Bean TomcatConnectorCustomizer connectorCustomizer() { return (connector) -> { connector.setMaxPartCount(100); }; }

Does not work for me. It sticks to the default value of 10.

Comment From: kev22257

I also cannot get the connector customizer to work. I can see the Bean method being executed in the debugger, but I still get the same org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException exception.

import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {

    @Bean
    public TomcatConnectorCustomizer connectorCustomizer() {
        return (connector) -> {
            connector.setMaxPartCount(50);
            connector.setMaxPartHeaderSize(2048);
        };
    }
}

Comment From: bladekp

I also cannot get the connector customizer to work. I can see the Bean method being executed in the debugger, but I still get the same org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException exception.

``` import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;

@Configuration public class TomcatConfig {

@Bean
public TomcatConnectorCustomizer connectorCustomizer() {
    return (connector) -> {
        connector.setMaxPartCount(50);
        connector.setMaxPartHeaderSize(2048);
    };
}

} ```

This is because there are other customizers and aparently tomcat's default customizer overrides what was changed by yours, my recommendation is something like this:

import org.springframework.boot.web.embedded.tomcat.ConfigurableTomcatWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

@Component
@Order(Integer.MAX_VALUE)
public class MyTomcatCustomizer implements WebServerFactoryCustomizer<ConfigurableTomcatWebServerFactory> {

    @Override
    public void customize(ConfigurableTomcatWebServerFactory factory) {
        factory.addConnectorCustomizers((connector) -> connector.setMaxPartCount(50));
    }
}

Comment From: kev22257

@kev22257 did you make it work on your side?

I was able to get it to work with application.properties.

server.tomcat.max-part-count=50
server.tomcat.max-part-header-size=2048