RE: SOAP and the Web architecture from David Orchard on 2001-08-28 (xml-dist-app@w3.org from August 2001)

From: David Orchard <orchard@pacificspirit.com>
Date: Tue, 28 Aug 2001 00:32:55 -0700
To: "'Scott Cantor'" <cantor.2@osu.edu>, "'Paul Prescod'" <paulp@ActiveState.com>, "xml-dist-app@w3.org" <xml-dist-app@w3.org>
Message-ID: <01C12F58.FB4ADEE0.orchard@pacificspirit.com>

SAML problems with GET length is only because of having a browser binding. 
 Every articulation I heard was because of browser constraints, ne'er a 
server constraint to be seen.  Presumably if one used a better client 
library for connecting to servers, such as the case in non-browser/server 
cases, there would be a different but higher length restriction.

After some poking about on Apache, I found some interesting configuration 
items.  Of particular interest is the apparent 8k max on a URI length.  The 
documentation describes longer request lines as abnormal client request 
behavior ;-)

The fields are:
LimitRequestLine -defaults to 8190.  RequestLine is HTTP Method, URI, 
Protocol
LimitRequestBody - defaults to unlimited, which is 2 GB or greater
LimitRequestFields - defaults to 100, max is 32k.  This is # of HTTP header 
fields
LimitRequestFieldSize - defaults to 8190.  Field size is for a given HTTP 
header

It seems to me that Apache servers that are targetted to application cli  
ents could easily change 1 variable and much longer GET + URI requests 
could be allowed, especially given that at least 2 GB bodies are supported. 
  Surely a single default for Apache server can't be the reason for not 
using GET requests from non-browser client apps to servers.

Cheers,
Dave Orchard
Director, Architecture and Standards
BEA Systems

On Monday, August 27, 2001 8:48 PM, Scott Cantor [SMTP:cantor.2@osu.edu] 
wrote:
> > Arguable. What spec. restricts the complexity of data sent
> > through GET?
>
> No spec, merely (nearly) every real world implementation.
>
> > I agree that there are various social
> > expectations that URIs be simple and short and also that
> > there may be some software that is poorly set up to handle
> > long complex ones. But I'm not sure how much of this problem
> > is really real and how much is merely expectation. Maybe if
> > SOAP pushed the limits a little we could find out what HTTP
> > software is really broken and fix it.
>
> Lots. Basically most browsers and servers, if "broken" equals "imposes a
> limit on URI length". Each is different, but many break at something
> like 1-2k.
>
> Various security efforts (SAML, Shibboleth, others) are hitting this
> problem when communicating credentials (ideally in signed XML) between
> servers across a redirect. The solutions so far amount to hacks and
> switching to POST.
>
> --------
>   Scott Cantor               So long, and thanks for all the fish.
>   cantor.2@osu.edu                  -- Douglas Adams, 1952-2001
>   Office of Info Tech        PGP KeyID   F22E 64BB 7D0D 0907 837E
>   The Ohio State Univ        0x779BE2CE  6137 D0BE 1EFA 779B E2CE

Received on Tuesday, 28 August 2001 03:33:13 UTC