AM 7.2.0

Limit the size of the request body

HTTP requests are not limited by the specification. Rather, the method used limits the amount of data that a client can send. The GET and DELETE methods, for example, are limited by the size of the URL. The POST method is not. Instead, browsers and application servers limit the amount of data a request can send to your applications.

Ensure that the amount of data that reaches your applications and AM is not large enough to overwhelm them.

Application servers usually can mitigate against denial of service (DoS) attacks that POST large amounts of form data, but AM endpoints may receive large amounts of POST data in different ways, such as in JSON, JWT, or JWK formats.

By default, AM rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size. It also returns an HTTP 413 error response, and logs a message similar to the following:

  • ERROR: Request Content-Length exceeds maximum allowed, if the content’s length was specified in the request.

  • ERROR: Counted request entity size exceeds maximum allowed, if the content’s length was not specified.

To change the default value, perform the following steps:

  1. Change the value of the org.forgerock.openam.request.max.bytes.entity.size advanced server property to the new size, in bytes.

    The property is hot-swappable. You do not need to restart AM for the changes to take effect.

How do I configure advanced server properties?
  • To configure advanced server properties for all the instances of the AM environment, in the AM Admin UI, go to Configure > Server Defaults > Advanced.

  • To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.

If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.

Click Save Changes.

Copyright © 2010-2022 ForgeRock, all rights reserved.