Users who are successfully authenticated but not authorized get a HTTP 500 error instead of the expected HTTP 403 "access denied" page.

The log shows the following error:

header full: java.lang.RuntimeException: Header>6144

Our understanding: when a user is authenticated (via the SAML plugin in our environment) but not authorized, Jenkins generates a HTTP response header X-You-Are-In-Group for every group the user is member of. For users who are member of a large number of groups, this exceeds the total header size allowed by Jetty and causes a HTTP 500 error.

To allow users to see the expected "access denied" page, I suppose there should be some control on these X-You-Are-In-Group headers; or we should be able to set a larger value for ResponseHeaderSize in Jetty's HttpConfig (as is already possible for request header size)

Thanks in advance