Encoded slash (%2F) with Spring RequestMapping path param gives HTTP 400

rest spring glassfish spring-3 glassfish-3

Solution 1:

for spring-boot, the following did the trick

@SpringBootApplication
public class Application extends WebMvcConfigurerAdapter {

    public static void main(String[] args) throws Exception {
        System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");
        SpringApplication.run(Application.class, args);
    }

    @Override
    public void configurePathMatch(PathMatchConfigurer configurer) {
        UrlPathHelper urlPathHelper = new UrlPathHelper();
        urlPathHelper.setUrlDecode(false);
        configurer.setUrlPathHelper(urlPathHelper);
    }

}

Solution 2:

This could be your answer: urlencoded Forward slash is breaking URL

I would suggest not putting that in the path, move it to a request param instead.

Work around:

You could change the RequestMapping to 

@RequestMapping(value = "/ws/stuff/lookup/resourceId/**", method = RequestMethod.GET)

and then parse the path variables manually from the request object.

Solution 3:

2019 Update for Spring Boot 2+ / Spring (Security) 5+ / Java 8+:

As my edit to iamiddy's answer was rejected I want to also provide the complete solution for Spring Boot 2 + as an separate answer.

The WebMvcConfigurerAdapter is deprecated with Spring5 / Java8 and can be replaced directly with the Interface WebMvcConfigurer ending up with:

@SpringBootApplication
public class Application extends WebMvcConfigurer {

    public static void main(String[] args) throws Exception {
        System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");
        SpringApplication.run(Application.class, args);
    }

    @Override
    public void configurePathMatch(PathMatchConfigurer configurer) {
        UrlPathHelper urlPathHelper = new UrlPathHelper();
        urlPathHelper.setUrlDecode(false);
        configurer.setUrlPathHelper(urlPathHelper);
    }
}

Plus you also need to configure Spring's (Strict)HttpFirewall to avoid the blocking of encoded slashes with the error message The request was rejected because the URL contained a potentially malicious String "%2F"

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);    
    return firewall;
}

Spring Boot will use the above HttpFirewall Bean when available - otherwise it might be necessary to configure the WebSecurity as mentioned here:

Solution 4:

For spring boot application this worked for me..

Version 1 Add 

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

to your application.properties file

Version 2 run your spring boot application like this.

static void main(String[] args) {
    System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");
    SpringApplication.run this, args
}

Version 3 or run your java application with -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

This fixed %2F encoded slash path variable for me.

Related

Restrict access to website hosted on S3
Node JS: Automatic selection of `http.get` vs `https.get`
Difference between MEF and IoC containers (like Unity, Autofac, SMap, Ninject, Windsor.Spring.net, etc.)
Android "hello world" pushnotification example [closed]
Is Jackson really unable to deserialize json into a generic type?
How to list all files in an s3 folder using AWS-SDK gem in ruby on rails
Why is body.scrollTop deprecated?
Create dynamic environment variables at build time in Docker
How can I get a list of the symbols in a sympy expression?
Javascript: parse a string to Date as LOCAL time zone
masksToBounds vs. clipsToBounds [duplicate]
What's the difference between a ReadOnlyDictionary and an ImmutableDictionary?