Solutions

AM/OpenAM (All versions) Login flow fails with java.lang.IllegalArgumentException: Request header too large

Last updated Jan 4, 2019

The purpose of this article is to provide assistance if you encounter a "java.lang.IllegalArgumentException: Request header is too large" error when authentication flows fail. You may also see an HTTP 400 - Bad Request response. This issue occurs when AM/OpenAM is deployed on Apache Tomcat™.


Symptoms

Authentication flows involving AM/OpenAM fail.

The following error is shown in catalina.out when the request fails:

Nov 29, 2018 2:37:41 PM org.apache.coyote.http11.AbstractHttp11Processor process
INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
   at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:515)
   at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:504)
   at org.apache.coyote.http11.InternalInputBuffer.parseHeader(InternalInputBuffer.java:396)
   at org.apache.coyote.http11.InternalInputBuffer.parseHeaders(InternalInputBuffer.java:271)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1007)

The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file: 

HTTP 400 - Bad Request

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM/OpenAM (All versions)?

Recent Changes

N/A

Causes

AM/OpenAM does not put a limit on token sizes. This issue can occur when the token being sent by the browser is bigger than the max header size specified in Tomcat's configuration file (server.xml). This can happen with authentication flows that utilize client-based sessions, since the session is stored in the cookie and transferred in the header (most browsers will prevent a cookie being larger than 4096 bytes per RFC 6265).

The default max header size in Tomcat is 8KB:

<Connector port="443" maxHttpHeaderSize="8192" protocol="HTTP/1.1" SSLEnabled="true"

The maxHttpHeaderSize attribute may not be present in the server.xml file, but still defaults to 8KB.

Solution

This issue can be resolved by increasing the max header size in Tomcat. You should increase it to a size that will accommodate your expected token sizes; examining network traffic using your browser's Developer Tools or capturing a HAR file when authentication fails can help you determine the size of the token being passed in the header. Otherwise, increasing it to 16KB is a good starting point; this is recommended as the minimum for client-based sessions in the documentation: Authentication and Single Sign-On Guide › Planning for Client-Based Sessions.

Caution

Increasing the header size may consume more memory; you should test this to determine the optimal size in your environment.

To increase max header size:

  1. Edit the server.xml file and amend the maxHttpHeaderSize value, for example, to increase it to 16KB:
    <Connector port="443" maxHttpHeaderSize="16384" protocol="HTTP/1.1" SSLEnabled="true"
    
    
    If this attribute is not present, you should add it with the new value.

See Apache Tomcat 8 Configuration Reference for further information.

Note

If you have a load balanced environment, you should ensure you have configured the HTTP headers size for the load balancer appropriately as well.

See Also

WDSSO/Kerberos authentication fails in AM/OpenAM (All versions) with an HTTP 400 Bad Request response

Authentication fails with IDM (All versions) integrated AM when session-jwt cookie size exceeds browser limits

FAQ: Cookies in AM/OpenAM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9365 (Social authentication + Stateless fails if stateless token is too big)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...