Users who are successfully authenticated but not authorized get a HTTP 500 error instead of the expected HTTP 403 "access denied" page.
The log shows the following error:
Our understanding: when a user is authenticated (via the SAML plugin in our environment) but not authorized, Jenkins generates a HTTP response header X-You-Are-In-Group for every group the user is member of. For users who are member of a large number of groups, this exceeds the total header size allowed by Jetty and causes a HTTP 500 error.
To allow users to see the expected "access denied" page, I suppose there should be some control on these X-You-Are-In-Group headers; or we should be able to set a larger value for ResponseHeaderSize in Jetty's HttpConfig (as is already possible for request header size)
Thanks in advance