This issue occurs on the page titled "Using the Standard Validators" at http://docs.oracle.com/javaee/6/tutorial/doc/bnatc.html. Under the section titled "Using LongRangeValidator" you might clarify that size does not do any validation. Size only sets the size attribute on the rendered input field which, only in that rendered interface will restrict input to a certain length. There is nothing preventing an appropriate GET or POST request from specifying a field value that exceeds the set length. To actually validate the length, you'd need a validator.