We also tried to set the ALLOW_ENCODED_SLASH system property through the Edit Configuration dialog in the Elastic Beanstalk console. But, although the property seems to be present, Tomcat still doesn't let us use encoded slashes (%2F).

We think the ALLOW_ENCODED_SLASH system property is properly set because:

1) We see that property in the java command that starts Tomcat:

/usr/lib/jvm/jre/bin/java -DAWS_ACCESS_KEY_ID= -DAWS_SECRET_KEY= -DJDBC_CONNECTION_STRING= -DPARAM1= -DPARAM2= -DPARAM3= -DPARAM4= -DPARAM5= -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dhazelcast.native.client=true -Dcom.sun.management.jmxremote -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8765 -XX:MaxPermSize=256m -Xmx1024m -Xms256m -classpath :/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat7/temp -Djava.util.logging.config.file=/usr/share/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

2) And because we also get "true" when executing this from our web application:

System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH")

Does anyone know why Tomcat is still rejecting encoded slashes?

For example, this URL should return a JSON saying "Application not found: A/1":

http://our-site/campaigns/application/A%2F1/udid/U1

But, instead, it says:

The requested URL /v1/campaigns/application/A/1/udid/U1 was not found on this server.

It's strange because we have tried the ALLOW_ENCODED_SLASH system property in a local Tomcat and it works fine.

Lately we tried another property. This ones works both in my local Tomcat and in AWS:

org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH

I'm completely puzzled... :-/

Note that if you have an apache httpd in front of the tomcat both need to be configured to allow slashes

for tomcat the property is -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true (best placed in CATALINA_OPTS in the tomcat conf file)

for apache the directive AllowEncodedSlashes needs to be set to NoDecode furthermore the ProxyPass directive needs to be set to nocanon otherwise tomcat will recieve an encoded slash as %252F instead of %2F

So the correct apache configuration looks like this:

<VirtualHost *:80>
  ProxyPass / http://localhost:8080/ nocanon
  ProxyPassReverse / http://localhost:8080/ nocanon
  ProxyPreserveHost on
  AllowEncodedSlashes NoDecode
</VirtualHost>

An ElasticBeanstalk has an apache (I guess for the Load Balancer) on front of Tomcat, so this is the first one who receives a request, and is where must be indicated that slashes must be not decoded.

In order to get this, we have used this virtualhost:

<VirtualHost *:80>
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyPass / http://localhost:8080/ retry=0
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost on
  AllowEncodedSlashes NoDecode
  LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  ErrorLog /var/log/httpd/elasticbeanstalk-error_log
  TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>

This URL is helpful to configure an EBS and his apache http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html