We have our current platform set up with Akamai as the CDN, Apache as the web server, and AEM as the content tool. We had to do real-time ID verification through Signicat — which returned a huge SAML. When we get this huge amount of SAML and try to pass it to our server to parse, we always find bad SAML; it was getting truncated after a certain number of characters (around 7,800). My initial assumption was that the browser was restricting the size and hence truncating, causing a "400 — Bad request from the server" error. I searched on the internet and did not find any credible solution to my problem. After researching I found that this issue is a server-side issue, as most web servers restrict request the size to 8KB. Initially, I thought just aone server was restricting — but I realized that all three servers were. 

If your request gets truncated due to its large size and you get "400 — Bad request from the server," this means that your web server, proxy, or content server is not able to handle a large amount of data. You will not find any logs in your application, as it is a server configuration issue. You need to increase the size of the server request.

When we do a redirection from Java servlet through response.sendRedirect with a response size more than 8KB, the server trims the size to 8K. So, it is not possible to send a large amount of data.

Generally, we write the code like:

String paramValue= "whatever" ;
response.sendRedirect(url+"param="+paramValue) ;

...where paramValue > 8KB of the parameter is named param. url is where we want to redirect to. If the above code trims your response size, then do the following.

Solution 1

So, instead of doing a redirect at the server side, send the entire string back to the browser so that the browser can do a redirect. When the browser initiates, it does not trim the size.

String outstr="<html><script>window.location.;</script>";
response.getWriter().print(outstr);

When we return to the browser, it will act based on the script.

To avoid cross-scripting, it's good to take some protections like below.

String.getParameter("param");
if (param != null && param.toLowerCase().indexOf("script") != -1) {
 return;
}

This will make sure that if the value contains script tag for any malicious use, it will not allow proceeding further.

Solution 2

String outstr="<html><script>window.sessionStorage.param= '"+ paramValue+"';url';</script>";
response.getWriter().print(outstr);

Solution 1 will work better with mobile apps, as mobile apps open browsers internally and they can't read session storage from external browsers. For web apps, both will work.

Conclusion

Normally, all the web servers have a request size limit of 8KB. Those servers may have similar solutions to increase the size of the request. If you increase you request header size, this issue will be resolved.