I have just upgraded from Jenkins 2.474 to 2.475, which requires a servlet container that implements the Servlet 6.0 API. I run Jenkins in Tomcat, so this required upgrading to Tomcat 10.1.
I am getting the following error when checking the reverse proxy:
Invalid URI: [The encoded slash character is not allowed]
The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
In earlier (up to Tomcat 9.x) versions, I was able to add the following parameter to tomcat/conf/catalina.properties:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
However, this feature was deprecated in Tomcat 9.0 and removed in Tomcat 10.0:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
Use of this system property is deprecated. It will be removed from Tomcat 10 onwards. If this system property is set to true, the default for the encodedSolidusHandling attribute of all Connectors will be changed from reject to decode. If decoded, it will be treated a path delimiter.
How can I allow encoded slashes in Tomcat 10?
In Tomcat 10.0, the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH was removed. The changelog states the following:
Add: Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences. (markt)
In the Tomcat 10.0 documentation, the new method is not to add the parameter to catalina.properties, but rather as a Connector property. The new mode is passthrough:
<Connector encodedSolidusHandling="passthrough" ...>
</Connector>
The Jenkins documentation for reverse proxy setup has not yet been updated to reflect this change.