We encountered problem with windows auth login application. Spring security kerberos windows authentication used for this login process. Then spring security win-auth implemented to our project . It's works on some customers .But some customers encountered an error like below.
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
So there was a question in serverfault.We changed LimitRequestFieldSize of apache . But it didn't solve our case.My question is not directly related with apache.So I want to ask my question in here.
Problem is related with size.This size depends user's Active directory groups. Some groups contains other groups probably.
How can I reduce this size without changing Active Directory ? There are too much customer,we can't change groups of all users.
Second point :
Our configuration file is like this
server:
port: 8080
app:
ad-domain: EXAMPLE.ORG
ad-server: ldap://WIN-EKBO0EQ7TS7.example.org/
service-principal: HTTP/neo.example.org@EXAMPLE.ORG
keytab-location: /tmp/tomcat.keytab
ldap-search-base: dc=example,dc=org
ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"
We're using search filter
"(| (userPrincipalName={0}) (sAMAccountName={0}))"
but there is no group filter in the sample code.
I want to solve this issue on the source code , if it's possible.
Is there any way to limit groups of user with spring security ?
Or any other idea ?
Regards
Looking at your question and what you wrote, shows me that you took very little effort to solve the problem on your own. You are mixing a lot of stuff, let me sort it out:
Likely your customer's reverse proxy (Apache Web Server?) refuses to forward the Authorize
header back to the Tomcat. You haven't provided the size you have set for LimitRequestFieldSize
. At worst, you have to set the max possible token size on Windows and add the overhead for Base64. Enable request header logging , take the Base 64 token and pass it to an ASN.1 decoder . If it fails, the token is incomplete, increase limit.
Our setting is ./extra/httpd-vhosts.conf: LimitRequestFieldSize 32768
and we have a lot of groups, hundreds upto.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.