Spring Security Request was rejected for welcome page of under WEB-INF

Summary

Request was rejected for welcome page of under WEB-INF directory as follow:

<welcome-file-list>
  <welcome-file>/WEB-INF/views/home.jsp</welcome-file>
</welcome-file-list>

Actual Behavior

org.springframework.security.web.firewall.RequestRejectedException is occurred as follow:

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> The request was rejected because the URL was not normalized.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized.
        org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:296)
        org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
        org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
        org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
        org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.17</h3></body></html>

Expected Behavior

Render the content of home.jsp.

Version

• 5.0.4 - 5.1.5 (5.0.3 work fine)

Sample

gh-spring-security-6757.zip

Comment From: kazuki43zoo

Run the sample application using cargo maven plugin.

$ mvn clean package cargo:run

Access the sample application using cURL.

$ curl -D - http://localhost:8080/gh-spring-security-6757/

Comment From: jzheaux

The reason for the failure is because the <welcome-page-file> is prefixed by a /, resulting in two slashes, which the firewall rejects. Future versions of Spring Security are clearer about that in the error message.

If I remove the slash, then I get the expected 404 (since WEB-INF pages cannot be used as welcome files)