Spring security DefaultHttpFirewall - The requestURI cannot contain encoded slash

Question

In a spring-boot with security enabled web app, I\'m getting the following error when performing a GET request which contains an encoded slash

http://172.16.62.11:8080/c

Answer 1

Found out the issue - apparently in latest release of spring security, the usage of encoded slashes in url has been blocked

https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175

To overcome this, provide your own HttpFirewall implementation to WebSecurity as follows

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    DefaultHttpFirewall firewall = new DefaultHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);
    return firewall;
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
}