WMTS tile requests fail with "RequestRejectedException: The request was rejected because the URL was not normalized"

Description

RESTful WMTS tile requests can fail on GeoServer 2.14 in default configuration, even with the default dataset. The exception comes from Springs' StrictHttpFirewall: "RequestRejectedException: The request was rejected because the URL was not normalized.". Exception is triggered any time two slashes appear in the URL path (//).

For a specific example, take "tasmania" layer in the default dataset. It has a single unnamed style and a ResourceURL template:

When a compliant WMTS client fills out the URL template, it replaces {{style}} with an empty string and sends a request for http://mydomain/geoserver/gwc/rest/wmts/tasmania//EPSG:4326/EPSG:4326:0/0/1?format=image/png. The double-slash in this URL's path triggers Jetty's firewall, and request fails.

A potential workaround here is to avoid making RESTful tile requests, and to use WMTS service via KVP instead. Unfortunately this option is not available for most WMTS clients. I'm not sure if there is a way to customize StrictHttpFirewall options on a GeoServer installation without rebuilding it from source — please let me know if it is.

This problem is not reproducible in 2.13's default configuration.

Potentially related issue: https://osgeo-org.atlassian.net/browse/GEOS-8913

Environment

None

Status

Assignee

Andrea Aime

Reporter

Matvei Stefarov

Triage

None

Fix versions

Affects versions

Priority

Medium
Configure