Skip to main content

Kerberos SSO "Request header is too large" exception with Tomcat Application server

Problem

Single Sign on fails with spnegosecurity profile properly setup. In the catalina.yyyy-mm-dd.log file, the following, or similar, error message appears

INFO [http-apr-8080-exec-7] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Request header is too large at org.apache.coyote.http11.InternalAprInputBuffer.fill(InternalAprInputBuffer.java:564) at org.apache.coyote.http11.InternalAprInputBuffer.parseHeader(InternalAprInputBuffer.java:442) at org.apache.coyote.http11.InternalAprInputBuffer.parseHeaders(InternalAprInputBuffer.java:318) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1028) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2508) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2497) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

Solution

It is likely that the tokensize of the security tokens of Kerberos were altered to have a bigger size. This can be done by the Kerberos Administrator for various reasons. The server.xml configuration file of the Tomcat server can be altered to handle the tokensize.

Changes to be done to the server.xml in the \apache-tomcat-8.0.36\conf path

  1. Edit the server.xml, using an adequate editor
  2. Find the "connection" section
  3. add the parameter max_Http_HeaderSize="xxxxx"
  4. save the file
  5. restart the Platform service

The maxHeaderHttpSize parameter can be set to the exact value of the tokensize or higher. If no such parameter is given, the default size of 128 (bit) is used.

Details
Related issues