Limit the size of WebSEAL-generated HTTP headers

We can limit the size of WebSEAL-generated HTTP headers inserted in requests to junctioned back-end servers so they are not too large. The max-webseal-header-size stanza entry in the [junction] stanza of the WebSEAL configuration file specifies the maximum size, in bytes, of WebSEAL-generated HTTP headers. A value of 0 disables this function:

[junction]
max-webseal-header-size = 0

The max-webseal-header-size entry does not limit the maximum size of HTTP-Tag-Value headers. This stanza entry can be useful if a back-end application server rejects WebSEAL-generated HTTP headers because they are too large. For example, an iv-creds header for a user that belongs in many groups might be too large. When configured, this stanza entry causes WebSEAL-generated headers that exceed the maximum value to split across multiple headers. The following example output from a CGI application illustrates the effect of split headers:

HTTP_IV_CREDS_1=Version=1, BAKs3DCCBnMMADCCBm0wggZpAgIDkDCCAYUwKzA
HTTP_IV_CREDS_2=+0+8eAgI8iAICEdYCAgCkAgFUBAaSVNCJqncMOWNuPXNlY21==
HTTP_IV_CREDS_SEGMENTS=2

If we enable this function, modify the back-end application to recognize split headers, instead of standard WebSEAL-specific HTTP headers.

Parent topic: Single Sign-on Solutions