Hello,

Summary:

The Web Server embedded in Confluence's Synchrony web server (Vertx/Netty?) seems to have a default http header size limit of 8k.

This breaks Collaborative Editing for users signing in with Kerberos SSO if they are also member of a lot of Active Directory groups.

Proposed solution:

Synchrony should either increase the default header size limit to 32k, or at least make the default value con figurable.

Background:

On Windows, Kerberos tickets will include information about group membership

When a user is a member of an unusual number of groups (say 200), the encoded Kerberos ticket may grow larger than the maximum size allowed by default in Netty.

According to the following Netty Javadoc:

http://netty.io/4.0/api/io/netty/handler/codec/http/HttpRequestDecoder.html

Netty by default has a limit of 8k for headers.

We've seen large enterprise customers who could not use Collaborative Editing because of this problem.

We have updated our recommended Apache and Nginx config to remove any "Authorization:" headers for /synchrony paths.

However, since people don't read documentation, we would much prefer if Atlassian could simply increase the header size limit from 8k to 32k. 32k translates to 32768 bytes.

Eirik.