Allow URIs with Slash and Backslash in Apache Tomcat

By default, Apache Tomcat returns an error (400 - Bad Request) if a client sends a request to a URL that contains the characters %2F or %5C. They are the URL-encoded characters for / and \ respectively. This characters are forbidden to avoid attackers to work around the context restrictions of Apache Tomcat.

This affects the Denodo RESTful Web service and the published REST Web services as you do not have access to databases or views whose name contains any of these characters. You do not have access either to rows of views whose primary key value contains any of these characters and you want to retrieve them with their primary key. E.g. http://localhost:9090/denodo-restfulws/support/views/customer/1%2F2)

To disable this protection on the Tomcat embedded in the Denodo Platform, on which these services are deployed, follow these steps:

  1. Open the Denodo Platform Control Center
  2. Click Configure
  3. Click JVM Options
  4. In the Web container box, add the following to the current value (before adding this, leave a space after the last character of the existing value):
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
  1. Restart the Virtual DataPort server.

When the variable ALLOW_ENCODED_SLASH is true, Tomcat allows URLs to contain %2F.

When the variable ALLOW_BACKSLASH is true, Tomcat allows URLs to contain %5C.