spnego implementation issue - error parsing http request header

StackOverflow https://stackoverflow.com/questions/18994016

Question

I'm implementing spnego sso authentication on a Linux tomcat 7.0 installation and following the example at: http://spnego.sourceforge.net/index.html fairly well. I passed the pre-flight checklist with flying colors and actually have it working with the 'BASIC' ticket in Firefox being passed back and forth.

However, when using the "Negotiate" Authorization header I'm getting the following error message in catalina.out:

INFO: Error parsing HTTP request header

This occurs with both IE and when simulating the request in soapUI. The response sent back to both is:

400 Bad Request

As I said, it is working in Firefox, but only partially in the fact that it prompts for a login there, the proceeds with the "Basic" authentication. (At least is does until I turn it off in the web.xml filter configs, so I know those configs are being read)

I'm using the following enctypes:

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5

I suspect it has something to do with the 256 encryption, but I did download and put them into my java lib/security folder the unrestricted encryption jars as described in the following:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/jgss-features.html

However that did fix the issue (unless there is something there I am missing). I have searched extensively for the 'Error parsing...' http error which shows up in the catalina.out file, but have not found the solution. The other settings (realm, domain, etc) seem to be working fine as I have modified them and gotten different more specific errors.

Any ideas on the INFO: Error parsing HTTP request header error?

This is an internal corporate environment, and SSO has already been successfully implemented with httpd but we would like to move away from that to an all-tomcat solution.

Was it helpful?

Solution

Finally solved this issue. Turns out that the "Negotiate" Authorization header was pushing the size of the header over the default 8kb max size in Tomcat, which resulted in the misleading error. (I would have thought a more useful error message would be something like "max header size reached")

Anyway, I found the solution to be described in the following answer at serverfault.

https://serverfault.com/questions/56691/whats-the-maximum-url-length-in-tomcat

And for completeness:

<Connector port="8080" maxHttpHeaderSize="65536" protocol="HTTP/1.1" ... />
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top