stackoom
  简体   繁体   中英

Spring security kerberos size of a request header field exceeds server limit error

 原文  2018-02-15 07:41:47       java/ spring/ apache/ spring-security/ kerberos

Question

We encountered problem with windows auth login application. Spring security kerberos windows authentication used for this login process. Then spring security win-auth implemented to our project . It's works on some customers .But some customers encountered an error like below. 

Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

So there was a question in serverfault.We changed LimitRequestFieldSize of apache . But it didn't solve our case.My question is not directly related with apache.So I want to ask my question in here.

Problem is related with size.This size depends user's Active directory groups. Some groups contains other groups probably.

How can I reduce this size without changing Active Directory ? There are too much customer,we can't change groups of all users.

Second point :

Our configuration file is like this 

server:
    port: 8080
app:
    ad-domain: EXAMPLE.ORG
    ad-server: ldap://WIN-EKBO0EQ7TS7.example.org/
    service-principal: HTTP/neo.example.org@EXAMPLE.ORG
    keytab-location: /tmp/tomcat.keytab
    ldap-search-base: dc=example,dc=org
    ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"

We're using search filter 

"(| (userPrincipalName={0}) (sAMAccountName={0}))"

but there is no group filter in the sample code.

I want to solve this issue on the source code , if it's possible.

Is there any way to limit groups of user with spring security ?

Or any other idea ?

Regards

1 answers

solution1
 1  2018-02-22 17:42:57

Looking at your question and what you wrote, shows me that you took very little effort to solve the problem on your own. You are mixing a lot of stuff, let me sort it out:

  1. Your Spring Webapp runs likely on Tomcat: this will not send you 400 with that text
  2. You do use Spring Sec Kerberos, which is crap btw: this will not send you 400
  3. Someone intermediate system tells you that the header size is too large due to the PAC data: yay

Likely your customer's reverse proxy (Apache Web Server?) refuses to forward the Authorize header back to the Tomcat. You haven't provided the size you have set for LimitRequestFieldSize . At worst, you have to set the max possible token size on Windows and add the overhead for Base64. Enable request header logging , take the Base 64 token and pass it to an ASN.1 decoder . If it fails, the token is incomplete, increase limit.

Our setting is ./extra/httpd-vhosts.conf: LimitRequestFieldSize 32768 and we have a lot of groups, hundreds upto.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question STOMP Spring WebSocket message exceeds size limit Spring Security Kerberos, Kerberos + AD - Error: Access Denied, No key to store How to fix “Requested array size exceeds VM limit” error in Java? Continue to get: Requested array size exceeds VM limit error Spring Security Kerberos/SPNEGO Extension Error "Access is denied" Spring Security Kerberos chained with basic "Defective token detected" error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory Spring Security, Kerberos extension and AD Toggle Spring Security for the requests with particular Request Header Server not responding at login request with Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM