Problem

Creating a User “domain\user” having a special character like / or \ using the REST API raises an error.

 

Explanation

URL encoding is normalized. Using “%” allows encoding anything, including special characters in URLs (path). For security purposes (encoded slashed in the URL were incorrectly processed by application servers causing path traversal), certain application servers (including Tomcat) prevent using encoded (back)slashes in the path (%2F, %5C). Spring Security also performs similar security with a StrictHttpFirewal filter, which prevents using the ;%.\/ characters in the URL.


Solution: Amend Tomcat and Spring Security configuration

To allow special characters in URLs, you must:

  • Configure Tomcat to allow these characters in the URL:

    • to allow the slash character (/), configure every Connector in server.xml with the attribute encodedSolidusHandling set to decode, for instance:

      <Connector port="80" protocol="HTTP/1.1"
      encodedSolidusHandling="decode"
      connectionTimeout="20000"
      redirectPort="443" />
    • to allow the backslash character (\), set the system property org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH to true in setenv.sh/setenv.bat 

    • % and ; and are allowed by default

  • Configure Spring Security to configure the StrictHttpFirewall filter: set the system property acceptSpecialCharactersInUrlPath to true in setenv.sh/setenv.bat  (this property defaults to false).


Warning: You must assess the impacts in terms of security if you activate these parameters (special characters such as slash and backslash are blocked by default by certain app servers + by SpringSecurity for security reasons).