Reputation: 103
Spring security kerberos size of a request header field exceeds server limit error
We encountered problem with windows auth login application.Spring security kerberos windows authentication used for this login process. Then spring security win-auth implemented to our project . It's works on some customers .But some customers encountered an error like below.
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
So there was a question in serverfault.We changed LimitRequestFieldSize of apache . But it didn't solve our case.My question is not directly related with apache.So I want to ask my question in here.
Problem is related with size.This size depends user's Active directory groups. Some groups contains other groups probably.
How can I reduce this size without changing Active Directory ? There are too much customer,we can't change groups of all users.
Second point :
Our configuration file is like this
server:
port: 8080
app:
ad-domain: EXAMPLE.ORG
ad-server: ldap://WIN-EKBO0EQ7TS7.example.org/
service-principal: HTTP/[email protected]
keytab-location: /tmp/tomcat.keytab
ldap-search-base: dc=example,dc=org
ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"
We're using search filter
"(| (userPrincipalName={0}) (sAMAccountName={0}))"
but there is no group filter in the sample code.
I want to solve this issue on the source code , if it's possible.
Is there any way to limit groups of user with spring security ?
Or any other idea ?
Regards
Upvotes: 0
Views: 1785
Answers (1)
Reputation: 18415
Looking at your question and what you wrote, shows me that you took very little effort to solve the problem on your own. You are mixing a lot of stuff, let me sort it out:
- Your Spring Webapp runs likely on Tomcat: this will not send you 400 with that text
- You do use Spring Sec Kerberos, which is crap btw: this will not send you 400
- Someone intermediate system tells you that the header size is too large due to the PAC data: yay
Likely your customer's reverse proxy (Apache Web Server?) refuses to forward the Authorize header back to the Tomcat. You haven't provided the size you have set for LimitRequestFieldSize. At worst, you have to set the max possible token size on Windows and add the overhead for Base64. Enable request header logging, take the Base 64 token and pass it to an ASN.1 decoder. If it fails, the token is incomplete, increase limit.
Our setting is ./extra/httpd-vhosts.conf: LimitRequestFieldSize 32768 and we have a lot of groups, hundreds upto.
Upvotes: 1
Related Questions
- How to set max-http-header-size in Spring Boot 2.x application
- maxhttpHeaderSize in spring boot tomcat
- Kerberos: Negotiate Header was invalid (Cause GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails))
- Kerberos client - kerberoRestTemplate not working
- Java spring Request header is too large
- Spring-cloud-gateway: HTTP400 when more than 30 headers in request
- Kerberos authentication not working with spring security
- How to increase HTTP header size in jboss eap 6.1?
- JBoss 7 Request header is too large
- Got 414 Request-URI Too Large from Google when authenticating using Spring Security 3