Why is this URL returning error 400 from Tomcat?

Question

I have a Tomcat server running Java servlets. I'm trying to make a servlet that returns stored files, given their encrypted IDs.

ID: 100

Encrypted ID: +e4/E5cR/aM=

URL-encoded ID: %2Be4%2FE5cR%2FaM%3D

Resulting URL: http://localhost/file/demo/%2Be4%2FE5cR%2FaM%3D

When I try to follow that link, I don't even get into my servlet's code - the server returns this error: Failed to load resource: the server responded with a status of 400 (Bad Request)

What's wrong with this URL that's making Tomcat reject it before reaching my code? I ran it though a URL-encoder, and I don't see any invalid characters in it.

Answer 1

You have slash "/" encoded in the url. Apache doesn't allow them due to potential atacks. There is setting to allow them:

System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");

or

-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

See similar post.