5

I have a Tomcat server running Java servlets. I'm trying to make a servlet that returns stored files, given their encrypted IDs.

ID: 100

Encrypted ID: +e4/E5cR/aM=

URL-encoded ID: %2Be4%2FE5cR%2FaM%3D

Resulting URL: http://localhost/file/demo/%2Be4%2FE5cR%2FaM%3D

When I try to follow that link, I don't even get into my servlet's code - the server returns this error: Failed to load resource: the server responded with a status of 400 (Bad Request)

What's wrong with this URL that's making Tomcat reject it before reaching my code? I ran it though a URL-encoder, and I don't see any invalid characters in it.

John Brink
  • 546
  • 2
  • 8
  • 23
  • The URL may be correct, it depends how you configured tomcat and the web app. Is this URL really mapped to the servlet? – Henry Mar 25 '16 at 13:44

2 Answers2

7

You have slash "/" encoded in the url. Apache doesn't allow them due to potential atacks. There is setting to allow them:

System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");

or 

-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

See similar post.

Community
  • 1
  • 1
Dennis R
  • 1,769
  • 12
  • 13
  • For anyone interested, I decided to ditch the encrypted ID and replace it with a randomly-generated token saved to the DB. Thanks for the tip. – John Brink Mar 25 '16 at 15:07
  • Hi , please where can I modify these parameters? THANKS – Aziz Nov 23 '16 at 19:23
  • when you start your JVM you can provide -D, see the answer -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true, or you can setProperty in the code. Answer kind of has it – Dennis R Nov 28 '16 at 16:44
  • You can also add the line `org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true` to `conf/catalina.properties`, which is probably the best method for this. – Jules Feb 27 '18 at 09:41
0

You are likely experiencing one of 2 issues:

1) You have not included the port in your URL. Either you have configured the Tomcat port to port 80, in which case the port is not needed, or you need to include the port, which defaults to 8080, for example:

http://localhost:8080/file/demo/%2Be4%2FE5cR%2FaM%3D

2) You are adding the encrypted ID as part of the URL itself, which would have to be mapped to a Servlet/JSP/View of some sort in your URL mappings and is not likely. Tomcat is not going to recognize a unique ID and know a corresponding handler to call to process the mapping. Assuming you intend to call the servlet/JSP/controller that is mapped to '/file/demo', you would more likely want to pass the ID as a request parameter, for example:

http://localhost:8080/file/demo?id=%2Be4%2FE5cR%2FaM%3D
pczeus
  • 7,709
  • 4
  • 36
  • 51