Tomcat 8.5: Allow BackSlash

Question

Am working on configuring NetIQ IDAM, and one of the component of NetIQ IDAM i.e User Application runs on preconfigured Tomcat 8.5.x. User Application have some pre defined functionality that enforces backslashes in URL but tomcat is blocking the BlackSlashes in the URL as a security measure.

I tried using these options:

-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

but no use.

and because part of the component is not customizable, i don't have have any other option except configuring tomcat in some way to allow backslashes in URL.

Any suggestions how can i achieve this.

Sample HTTP Request: ?targetName=abc@xyz\.com

Answer 1

The client is broken. RFC 7230 and RFC 3986 require that the \ character is %nn encoded when used in a query string.

Generally, the Tomcat community implements the specifications and treats any non-spec compliance as a bug. The Tomcat community expects other developer communities to do the same.

Unfortunately, the browser vendors have opted to ignore the %nn encoding requirements of RFC 7230 and RFC 3986 and, despite claiming to be working to their own specification, the end result is that each of the major browsers %nn encodes a different sub-set of the characters that are required to be encoded.

The good news for you is that, as a result of this mess, Tomcat 9.0.8, 8.5.21, 8.0.52 and 7.0.87 will introduce (those releases are still be voting on as I type this) options that allow the use of characters directly in the URI path and/or query string without %nn encoding.

Once those releases are available you will be able to configure Tomcat to accept \ in the query string. Meanwhile, I'd recommend raising a bug against the client for spec non-compliance anyway. Better to have a correctly working client so you can drop the work-around in Tomcat.