If the Authorization header is too large for the application server, such as because there are many group SIDs in the PAC of the Kerberos ticket in the SPNEGO token, it will be necessary to increase the maximum header size.
If the HSS properties file has jespa.log.level = 4 (or higher), Jespa will log the group count and size of the Authorization header like:
Authn success: KRB5: SEBANK\hinves Header Size: 440 groups / 7101 bytes
For an explicit login, such as with a login form, there is no such header. However, Jespa does log an estimate of what the header size would be like:
Login success: KRB5: SEBANK\hinves Header Size: 440 groups / 7104 bytes (estimated)
This feature (or the Jespa example webapp) might be used to check a user's token size without triggering an error.
Each application server has different directives for setting the maximum request header size. Below are examples for Tomcat and Jetty. Interpolate as necessary for WildFly, Spring, etc.
If Tomcat logs "Request header is too large" errors, edit $CATALINA_BASE/conf/server.xml and modify the Connector element to include a maxHttpHeaderSize="32768" attribute.
For example, a typical Connector section for an HSS protected application might look like:
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="32768"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreType="JKS"
certificateKeystoreFile="conf/jespa15.jks"
certificateKeystorePassword="jespa15"/>
</SSLHostConfig>
</Connector>
If Jetty logs "Request header too large" errors, create or edit $JETTY_BASE/start.ini and add a line:
jetty.httpConfig.requestHeaderSize=32768
This property can also be set in other ways (such as part of an HttpConfiguration).
See also: Problems with Kerberos authentication when a user belongs to many groups
See also: Logging on a user account that is a member of more than 1,010 groups may fail on a Windows Server-based computer