ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) Login flow fails with java.lang.IllegalArgumentException: Request header too large

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you encounter a "java.lang.IllegalArgumentException: Request header is too large" error when authentication flows fail. You may also see an HTTP 400 - Bad Request response. This issue occurs when AM is deployed on Apache Tomcat™.


Authentication flows involving AM fail.

The following error is shown in catalina.out when the request fails:

Nov 29, 2018 2:37:41 PM org.apache.coyote.http11.AbstractHttp11Processor process INFO: Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Request header is too large at org.apache.coyote.http11.InternalInputBuffer.fill( at org.apache.coyote.http11.InternalInputBuffer.fill( at org.apache.coyote.http11.InternalInputBuffer.parseHeader( at org.apache.coyote.http11.InternalInputBuffer.parseHeaders( at org.apache.coyote.http11.AbstractHttp11Processor.process(

The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file:

HTTP 400 - Bad Request

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM?

Recent Changes



AM does not put a limit on token sizes. This issue can occur when the token being sent by the browser is bigger than the max header size specified in Tomcat's configuration file (server.xml). This can happen with authentication flows that utilize client-side sessions, since the session is stored in the cookie and transferred in the header (most browsers will prevent a cookie being larger than 4096 bytes per RFC 6265).

The default max header size in Tomcat is 8KB:

<Connector port="443" maxHttpHeaderSize="8192" protocol="HTTP/1.1" SSLEnabled="true"

The maxHttpHeaderSize attribute may not be present in the server.xml file, but still defaults to 8KB.


This issue can be resolved by increasing the max header size in Tomcat. You should increase it to a size that will accommodate your expected token sizes; examining network traffic using your browser's Developer Tools or capturing a HAR file when authentication fails can help you determine the size of the token being passed in the header. Otherwise, increasing it to 16KB is a good starting point; this is recommended as the minimum for client-side sessions in the documentation: Configure client-side sessions.


Increasing the header size may consume more memory; you should test this to determine the optimal size in your environment.

To increase max header size:

  1. Edit the server.xml file and amend the maxHttpHeaderSize value, for example, to increase it to 16KB: <Connector port="443" maxHttpHeaderSize="16384" protocol="HTTP/1.1" SSLEnabled="true"If this attribute is not present, you should add it with the new value.

See Apache Tomcat 8 Configuration Reference for further information.


If you have a load balanced environment, you should ensure you have configured the HTTP headers size for the load balancer appropriately as well.

See Also

WDSSO/Kerberos authentication fails in AM (All versions) with an HTTP 400 Bad Request response

Authentication fails with IDM 6.x integrated with AM when session-jwt cookie size exceeds browser limits

FAQ: Cookies in AM

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.