Menu
I'm implementing spnego sso authentication on a Linux tomcat 7.0 installation and following the example at: http://spnego.sourceforge.net/index.html fairly well. I passed the pre-flight checklist with flying colors and actually have it working with the 'BASIC' ticket in Firefox being passed back and forth.
However, when using the "Negotiate" Authorization header I'm getting the following error message in catalina.out:
INFO: Error parsing HTTP request header
This occurs with both IE and when simulating the request in soapUI. The response sent back to both is:
400 Bad Request
As I said, it is working in Firefox, but only partially in the fact that it prompts for a login there, the proceeds with the "Basic" authentication. (At least is does until I turn it off in the web.xml filter configs, so I know those configs are being read)
I'm using the following enctypes:
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
I suspect it has something to do with the 256 encryption, but I did download and put them into my java lib/security folder the unrestricted encryption jars as described in the following:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/jgss-features.html
However that did fix the issue (unless there is something there I am missing). I have searched extensively for the 'Error parsing...' http error which shows up in the catalina.out file, but have not found the solution. The other settings (realm, domain, etc) seem to be working fine as I have modified them and gotten different more specific errors.
Any ideas on the INFO: Error parsing HTTP request header error?
This is an internal corporate environment, and SSO has already been successfully implemented with httpd but we would like to move away from that to an all-tomcat solution.
447
This issues is usually caused by a corrupted cookie that is too long. Clear the Cache and remove the Cookies for websites that cause problems via the "3-bar" Firefox menu button (Options/Preferences). If clearing cookies didn't help then it is possible that the cookies.
The "Request header too large" message is thrown with an HTTP error code 400. This error occurs if the size of the request header has grown so large that it exceeds the maximum-allowed size. We recommend that you use the latest version of the SDK. Use at least version 3.
The HTTP 431 Request Header Fields Too Large response status code indicates that the server refuses to process the request because the request's HTTP headers are too long. The request may be resubmitted after reducing the size of the request headers.
Finally solved this issue. Turns out that the "Negotiate" Authorization header was pushing the size of the header over the default 8kb max size in Tomcat, which resulted in the misleading error. (I would have thought a more useful error message would be something like "max header size reached")
Anyway, I found the solution to be described in the following answer at serverfault.
https://serverfault.com/questions/56691/whats-the-maximum-url-length-in-tomcat
And for completeness:
<Connector port="8080" maxHttpHeaderSize="65536" protocol="HTTP/1.1" ... />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With