Anatoli added a comment - 21/Jul/2009 4:29 AM closing as a duplicate of CONF-13479

Maleko Taylor (Inactive) added a comment - 10/Jul/2009 6:10 PM - edited dupe of http://jira.atlassian.com/browse/CONF-13479 ?

Andrew Lynch (Inactive) added a comment - 03/Mar/2009 1:11 AM Hi Josh, We actually double URL encode the URL for a workaround for non ASCII characters in the username (they are decoded twice, once by the app server and once by us in the SimpleDisplayServlet ). Unfortunately this will result as /display/asdf/realm being interpreted as viewing the page realm in the space asfd There's no trivial workaround which wouldn't break it for some other sequence of characters, so I would suggest that either you try to find a way of renaming your users or modifying the URL generated for your users (this would require patching on your end, involving GeneralUtil.personalSpaceUrl and SimpleDisplayServlet which will map this URL back to an action ) . A single encoded %2f would also give problems with Tomcat 6 .0.10 onwards: Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts. The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false): * org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false * org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used. Affects: 6.0.0-6.0.9 That may explain the apache "Not Found" error you are receiving. Regards, Andrew Lynch