ALLOW_ENCODED_SLASH on AWS Elasticbeanstalk

Question

How should I configure my ElasticBeanstalk on AWS to allow encoded slashes in URLs ? (Using -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true)

I've created a directory called .ebextensions with a file tomcat.config in top-level directory of my source bundle (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html) with the content:

commands:
  allow-encoded-slash:
    command: export CATALINA_OPTS="$CATALINA_OPTS -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
    cwd: /home/ec2-user

But it seems it has no effect, it doesn't appear in these dirs:

ls -la /tmp/deployment/application/ROOT/
ls -la /var/lib/tomcat7/webapps/ROOT/ 

Answer 1

We also tried to set the ALLOW_ENCODED_SLASH system property through the Edit Configuration dialog in the Elastic Beanstalk console. But, although the property seems to be present, Tomcat still doesn't let us use encoded slashes (%2F).

We think the ALLOW_ENCODED_SLASH system property is properly set because:

1) We see that property in the java command that starts Tomcat:

/usr/lib/jvm/jre/bin/java -DAWS_ACCESS_KEY_ID= -DAWS_SECRET_KEY= -DJDBC_CONNECTION_STRING= -DPARAM1= -DPARAM2= -DPARAM3= -DPARAM4= -DPARAM5= -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dhazelcast.native.client=true -Dcom.sun.management.jmxremote -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8765 -XX:MaxPermSize=256m -Xmx1024m -Xms256m -classpath :/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat7/temp -Djava.util.logging.config.file=/usr/share/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

2) And because we also get "true" when executing this from our web application:

System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH")

Does anyone know why Tomcat is still rejecting encoded slashes?

For example, this URL should return a JSON saying "Application not found: A/1":

http://our-site/campaigns/application/A%2F1/udid/U1

But, instead, it says:

The requested URL /v1/campaigns/application/A/1/udid/U1 was not found on this server.

It's strange because we have tried the ALLOW_ENCODED_SLASH system property in a local Tomcat and it works fine.

Lately we tried another property. This ones works both in my local Tomcat and in AWS:

org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH

I'm completely puzzled... :-/

Answer 2

An ElasticBeanstalk has an apache (I guess for the Load Balancer) on front of Tomcat, so this is the first one who receives a request, and is where must be indicated that slashes must be not decoded.

In order to get this, we have used this virtualhost:

<VirtualHost *:80>
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyPass / http://localhost:8080/ retry=0
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost on
  AllowEncodedSlashes NoDecode
  LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  ErrorLog /var/log/httpd/elasticbeanstalk-error_log
  TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>

This URL is helpful to configure an EBS and his apache http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html