CAS5 how large for tomcat maxHttpHeaderSize

[Duane Booher]

Hi, we were noticing 

server.tomcat.maxHttpHeaderSize=20971520 in

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#embedded-tomcat

and server.tomcat.maxHttpPostSize=20971520 in

https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#embedded-tomcat-container

The seems a bit excessive. How large are people configuring the tomcat server.xml maxHttpHeaderSize?

Thanks,

Duane

[David Curry]

Tomcat's default value for maxPostSize is 2097152, so that's "normal." (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html)

Tomcat's default value for maxHttpHeaderSize is 8192 (see same link, above), but the CAS documentation for configuring the server as a SAML2 IdP recommends setting it to 2097152 as well, so that's probably why it is that way. (https://apereo.github.io/cas/development/installation/Configuring-SAML2-Authentication.html#server-configuration)

I would guess that if you're not using the SAML2 IdP functionality, you could put maxHttpHeaderSize back down to 8192 or whatever, but as they say, YMMV.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/367058ff-b38a-43ac-af96-d712c91b1e99%40apereo.org.

[Duane Booher]

Thank you for that explanation. Our original CAS4 setting was maxHttpHeaderSize="16384", but after the CAS5 upgrade that failed right away as it was too small.

 

Then we did go to the CAS5 documentation setting that I reference below, and recently we were questioning the value of the setting. We have not tried to shrink for alternate smaller values.

 

We are actually running CAS 5.0.5 at the moment, if you see my other posts then you will see why.

 

BTW – you have a great CAS5 deployment site: https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

 

If people have not seen this, then they should definitely check it out!!!

 

Duane Booher

Northern Arizona University

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.