Since reviewers could not agree on a way to cap group headers, simply omitting...

Since reviewers could not agree on a way to cap group headers, simply omitting them altogether by default.
Test still reproduces the original issue when flag is set on:
… org.eclipse.jetty.server.HttpChannel$CommitCallback failed
WARNING: Commit failed
java.io.IOException: Response header too large
	at org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:402)
	at org.eclipse.jetty.server.HttpConnection$SendCallback.process(HttpConnection.java:655)
	at …
	at hudson.security.AccessDeniedHandlerImpl.handle(AccessDeniedHandlerImpl.java:57)
	at …
Caused by: java.nio.BufferOverflowException
	at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:189)
	at java.nio.ByteBuffer.put(ByteBuffer.java:859)
	at org.eclipse.jetty.http.HttpGenerator.putTo(HttpGenerator.java:1087)
	at org.eclipse.jetty.http.HttpGenerator.generateHeaders(HttpGenerator.java:705)
	at org.eclipse.jetty.http.HttpGenerator.generateResponse(HttpGenerator.java:387)
	... 66 more
java.lang.AssertionError: expected:<403> but was:<500>
	at org.junit.Assert.fail(Assert.java:88)
	at org.junit.Assert.failNotEquals(Assert.java:834)
	at org.junit.Assert.assertEquals(Assert.java:645)
	at org.junit.Assert.assertEquals(Assert.java:631)
	at hudson.security.AccessDeniedException2Test.youAreInGroupHeaders(AccessDeniedException2Test.java:56)

core/src/main/java/hudson/security/AccessDeniedException2.java

@@ -6,6 +6,7 @@ import org.acegisecurity.GrantedAuthority;
 
 import javax.servlet.http.HttpServletResponse;
 import java.io.PrintWriter;
+import jenkins.util.SystemProperties;
 
 /**
  * {@link AccessDeniedException} with more information.
@@ -13,7 +14,8 @@ import java.io.PrintWriter;
  */
 public class AccessDeniedException2 extends AccessDeniedException {
 
-    private static final int MAX_REPORTED_AUTHORITIES = 10;
+    /** If true, report {@code X-You-Are-In-Group} headers. Disabled due to JENKINS-39402; use {@code /whoAmI} etc. to diagnose permission issues. */
+    private static /* not final */ boolean REPORT_GROUP_HEADERS = SystemProperties.getBoolean(AccessDeniedException2.class.getName() + ".REPORT_GROUP_HEADERS");
 
     /**
      * This object represents the user being authenticated.
@@ -41,13 +43,9 @@ public class AccessDeniedException2 extends AccessDeniedException {
      */
     public void reportAsHeaders(HttpServletResponse rsp) {
         rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName());
-        GrantedAuthority[] authorities = authentication.getAuthorities();
-        for (int i = 0; i < authorities.length; i++) {
-            if (i == MAX_REPORTED_AUTHORITIES) {
-                rsp.addHeader("X-You-Are-In-Group", "<" + (authorities.length - i) + " more>");
-                break;
-            } else {
-                rsp.addHeader("X-You-Are-In-Group", authorities[i].getAuthority());
+        if (REPORT_GROUP_HEADERS) {
+            for (GrantedAuthority auth : authentication.getAuthorities()) {
+                rsp.addHeader("X-You-Are-In-Group",auth.getAuthority());
             }
         }
         rsp.addHeader("X-Required-Permission", permission.getId());

test/src/test/java/hudson/security/AccessDeniedException2Test.java

@@ -25,11 +25,7 @@
 package hudson.security;
 
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
 import java.net.HttpURLConnection;
-import java.util.ArrayList;
-import java.util.List;
-import org.hamcrest.Matchers;
 import static org.junit.Assert.*;
 import org.junit.Rule;
 import org.junit.Test;
@@ -54,19 +50,10 @@ public class AccessDeniedException2Test {
         r.jenkins.setSecurityRealm(realm);
         r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
         try {
-            r.createWebClient().login("user").goTo("confgure");
+            r.createWebClient().login("user");
             fail("should not have been allowed to access anything");
         } catch (FailingHttpStatusCodeException x) {
             assertEquals(HttpURLConnection.HTTP_FORBIDDEN, x.getStatusCode());
-            List<String> reportedGroups = new ArrayList<>();
-            for (NameValuePair header : x.getResponse().getResponseHeaders()) {
-                if (header.getName().equals("X-You-Are-In-Group")) {
-                    reportedGroups.add(header.getValue());
-                }
-            }
-            assertThat("capped at a reasonable number", reportedGroups, Matchers.<List<String>>allOf(
-                Matchers.<String>hasSize(11), // 10 groups plus final warning
-                Matchers.<String>hasItem("<991 more>"))); // 1000 + SecurityRealm.AUTHENTICATED_AUTHORITY.getAuthority() - 10
         }
     }