Configure SPS to allow Encoded Slashes in URI


Article ID: 36834


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Title: Configure SPS to allow Encoded Slashes in URI 


SPS 12.52 SP1 returningHTTP 400 Bad Request error message Whenever a URL that has %2F which is the hex code for / is submitted to it.

Example of URL  

GET'%2FUI2%2FFiori2LaunchpadHome')?$expand=Pages/PageChipInstances/Chip/ChipBags/ChipProperties HTTP/1.1



Both Apache and Tomcat intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities such as CVE-2007-0450 and CVE-2007-0450 related attacks.

To Instruct Apache / Tomcat within SPS to process the URI ,please follow the below Steps 


**** Step 1 --> Apache 


Please modify httpd.conf file found under \CA\secure-proxy\httpd\conf and include the below 


1) AllowEncodedSlashes NoDecode 

2) JkOptions +ForwardURICompatUnparsed


The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.

a) With the default value, Off, such URLs are refused with a 404 (Not found) error.

b) With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

c) With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.


Setting the JKOptions to ForwardURICompatUnparsed: forwarded URI will be unparsed.



**** Step 2 --> Tomcat 


To Instruct Tomcat to allow the encoded slash ,please Edit the \CA\secure-proxy\proxy-engine\conf\ and add the below to the JAVA_OPTIONS

Add the below to your NETE_SPS_PROXYENGINE_CMD 


1) -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true 

2) -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true




NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true -Dfile.encoding=UTF-8 -Xms512m -Xmx1024m -XX:MaxPermSize=256M -Dcatalina.base="%NETE_SPS_TOMCAT_HOME%" -Dcatalina.home="%NETE_SPS_TOMCAT_HOME%" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed""%NETE_SPS_TOMCAT_HOME%\temp" -DHTTPClient.log.mask=0 -DHTTPClient.Modules="HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule""%NETE_SPS_TOMCAT_HOME%/properties/" -DSM_AGENT_LOG_CONFIG="%STS_AGENT_LOG_CONFIG_FILE%" -classpath "%NETE_SPS_TOMCAT_HOME%\bin\proxybootstrap.jar;%NETE_SPS_TOMCAT_HOME%\properties;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_TOMCAT_HOME%\bin\bootstrap.jar;%NETE_SPS_ROOT%\resources;%NETE_SPS_ROOT%\agentframework\java\cryptoj.jar" com.netegrity.proxy.ProxyBootstrap -config "%NETE_SPS_ROOT%/proxy-engine/conf/server.conf"


**** Step 3  --> Restart your SPS services for the changes to be applied


Component: SMSPS