Authentication flows involving AM/OpenAM fail.
The following error is shown in catalina.out when the request fails:
Nov 29, 2018 2:37:41 PM org.apache.coyote.http11.AbstractHttp11Processor process INFO: Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Request header is too large at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:515) at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:504) at org.apache.coyote.http11.InternalInputBuffer.parseHeader(InternalInputBuffer.java:396) at org.apache.coyote.http11.InternalInputBuffer.parseHeaders(InternalInputBuffer.java:271) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1007)
The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file:
HTTP 400 - Bad Request
You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM/OpenAM (All versions)?
AM/OpenAM does not put a limit on token sizes. This issue can occur when the token being sent by the browser is bigger than the max header size specified in Tomcat's configuration file (server.xml). This can happen with authentication flows that utilize client-based sessions, since the session is stored in the cookie and transferred in the header (most browsers will prevent a cookie being larger than 4096 bytes per RFC 6265).
The default max header size in Tomcat is 8KB:
<Connector port="443" maxHttpHeaderSize="8192" protocol="HTTP/1.1" SSLEnabled="true"
The maxHttpHeaderSize attribute may not be present in the server.xml file, but still defaults to 8KB.
This issue can be resolved by increasing the max header size in Tomcat. You should increase it to a size that will accommodate your expected token sizes; examining network traffic using your browser's Developer Tools or capturing a HAR file when authentication fails can help you determine the size of the token being passed in the header. Otherwise, increasing it to 16KB is a good starting point; this is recommended as the minimum for client-based sessions in the documentation: Authentication and Single Sign-On Guide › Planning for Client-Based Sessions.
Increasing the header size may consume more memory; you should test this to determine the optimal size in your environment.
To increase max header size:
- Edit the server.xml file and amend the maxHttpHeaderSize value, for example, to increase it to 16KB:
If this attribute is not present, you should add it with the new value.
<Connector port="443" maxHttpHeaderSize="16384" protocol="HTTP/1.1" SSLEnabled="true"
See Apache Tomcat 8 Configuration Reference for further information.
If you have a load balanced environment, you should ensure you have configured the HTTP headers size for the load balancer appropriately as well.