After upgrading to Spring Boot 3.2.2 we started getting the following exception:
java.lang.IllegalArgumentException: Request header is too large
at org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:770)
at org.apache.coyote.http11.Http11InputBuffer.parseHeader(Http11InputBuffer.java:964)
at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:591)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:287)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Unknown Source)
I saw in the migration docs from 2.7 to 3.0 that the server.max-http-header-size is deprecated in favour of server.max-http-request-header-size, but both continue to work. Apparently, with Spring Boot 3.2.2, support for the former was ended. But it isn't mentioned in the docs as far as I'm aware.
Note that there's also an inconsistency in the docs of 3.1 that mentions a non-existent config server.tomcat.max-http-response-header-size instead of server.max-http-response-header-size.
Comment From: wilkinsona
Apparently, with Spring Boot 3.2.2, support for the former was ended.
That's to be expected as everything that was deprecated in Boot 3.0 was removed in 3.2.
Note that there's also an inconsistency in the docs of 3.1 that mentions a non-existent config
server.tomcat.max-http-response-header-sizeinstead ofserver.max-http-response-header-size.
server.tomcat.max-http-response-header-size exists. There's no server.max-http-response-header-size as limiting response header size isn't supported by all of the embedded web servers that Boot supports so we offer server-specific properties for those that do support it (Tomcat and Jetty).
Comment From: kiss90benedek
@wilkinsona thank you for clarifying. I missed this note in the release notes of 3.2.
I did see in the documentation that server.tomcat.max-http-response-header-size exists in theory. I didn't check the code, but I know for sure that I tried according to the docs and my application didn't work. Then I changed it to server.max-http-response-header-size and that is respected.
Note that even if I would be wrong about this as well, then the migration docs from 2.7 to 3.0 would reference a nonexistent config since it says
To address this inconsistency, server.max-http-header-size has been deprecated and a replacement, server.max-http-request-header-size, has been introduced.
Comment From: scottfrederick
@kiss90benedek There are separate properties for setting the max request and response header sizes. Separating the request and response handling was most of the reason for the properties changes in 3.0.
From your initial question, it appears that request header size is what you are trying to configure. This is configured by one property for all supported web servers - server.max-http-request-header-size.
Configuring the response header size isn't supported by all web servers, so there are separate properties for each that do support it (Tomcat and Jetty) - server.tomcat.max-http-response-header-size and server.jetty.max-http-response-header-size.
It still appears to us that our release notes and documentation has all this right.
I did see in the documentation that server.tomcat.max-http-response-header-size exists in theory. I didn't check the code, but I know for sure that I tried according to the docs and my application didn't work. Then I changed it to server.max-http-response-header-size and that is respected.
If you can reproduce this in a minimal sample application, please share that with us as a project on GitHub or in a zip attached to this issue and we can take another look.
Comment From: kiss90benedek
Indeed. I managed to confuse these two configs. Thank you for the detailed explanation @wilkinsona @scottfrederick!