Independent management max-in-memory-size property

[ilozano2]

Enhancement

Related: https://github.com/spring-projects/spring-boot/issues/9560 Implemented out of Spring Boot: https://github.com/ilozano2/sc-management-codec-max-size

Motivation

By default, the maximum size of any request payload a Spring boot application can read is 262144 bytes.

This value can be changed using the Spring property spring.codec.max-in-memory-size. However, increasing the value of this property could expose the production controllers to some risks like DDOS attacks.

Spring Actuator endpoints or the port they listen are not usually exposed to the outside, so it could be safe to increase this value only for the Management Server in a controlled network.

Solution

As implemented in this project I've created, the developer can configure different max-in-memory-size for the management server (aka Spring Actuator endpoints).

management:
  codec:
    max-in-memory-size: 1MB

It is also possible to configure different sizes for management and server.

# Management Server Codec configurations
management:
  codec:
    max-in-memory-size: 1MB

# (original) Server Codec configurations
spring:
  codec:
    max-in-memory-size: 1KB

[wilkinsona]

Thanks for sharing your project, @ilozano2. As you've noted this is a similar problem to those discussed in #9560 and those issues to which it links. I think we should try to tackle them all at the same time.