RE: SOAP and the Web architecture

SAML problems with GET length is only because of having a browser binding. 
 Every articulation I heard was because of browser constraints, ne'er a 
server constraint to be seen.  Presumably if one used a better client 
library for connecting to servers, such as the case in non-browser/server 
cases, there would be a different but higher length restriction.

After some poking about on Apache, I found some interesting configuration 
items.  Of particular interest is the apparent 8k max on a URI length.  The 
documentation describes longer request lines as abnormal client request 
behavior ;-)

The fields are:
LimitRequestLine -defaults to 8190.  RequestLine is HTTP Method, URI, 
LimitRequestBody - defaults to unlimited, which is 2 GB or greater
LimitRequestFields - defaults to 100, max is 32k.  This is # of HTTP header 
LimitRequestFieldSize - defaults to 8190.  Field size is for a given HTTP 

It seems to me that Apache servers that are targetted to application cli  
ents could easily change 1 variable and much longer GET + URI requests 
could be allowed, especially given that at least 2 GB bodies are supported. 
  Surely a single default for Apache server can't be the reason for not 
using GET requests from non-browser client apps to servers.

Dave Orchard
Director, Architecture and Standards
BEA Systems

On Monday, August 27, 2001 8:48 PM, Scott Cantor [] 
> > Arguable. What spec. restricts the complexity of data sent
> > through GET?
> No spec, merely (nearly) every real world implementation.
> > I agree that there are various social
> > expectations that URIs be simple and short and also that
> > there may be some software that is poorly set up to handle
> > long complex ones. But I'm not sure how much of this problem
> > is really real and how much is merely expectation. Maybe if
> > SOAP pushed the limits a little we could find out what HTTP
> > software is really broken and fix it.
> Lots. Basically most browsers and servers, if "broken" equals "imposes a
> limit on URI length". Each is different, but many break at something
> like 1-2k.
> Various security efforts (SAML, Shibboleth, others) are hitting this
> problem when communicating credentials (ideally in signed XML) between
> servers across a redirect. The solutions so far amount to hacks and
> switching to POST.
> --------
>   Scott Cantor               So long, and thanks for all the fish.
>                  -- Douglas Adams, 1952-2001
>   Office of Info Tech        PGP KeyID   F22E 64BB 7D0D 0907 837E
>   The Ohio State Univ        0x779BE2CE  6137 D0BE 1EFA 779B E2CE

Received on Tuesday, 28 August 2001 03:33:13 UTC