Multiple consecutive slashes in the request causes 400 bad request error in Tomcat 10

I am upgrading my legacy project to Spring 6 and Tomcat 10. In that, normal requests are passed without any problem. But the requests like this:


are throwing cors error 400 bad request.The normal requests are like this:


The only difference between these requests are the multiple consecutive slashes.
These requests worked fine on Tomcat 8 and Spring 5.

This is my security configuration in Spring 6.

public class SecurityConfig extends WebSecurityConfiguration {

    public static SecurityConfig securityConfig() {
        return new SecurityConfig();

    private static final Logger LOG = LogManager.getLogger(SecurityConfig.class.getName());

    public SecurityFilterChain apiFilterChain(HttpSecurity http,
            AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter,
            OBOpenIdConnectFilter oBOpenIdConnectFilter, UnauthorizedEntryPoint unauthorizedEntryPoint)
            throws Exception {
        http.authorizeHttpRequests(authorize -> {
            try {
            } catch (Exception e) {
        }).cors(cors -> cors.configurationSource(this::apiConfigurationSource)).csrf(csrf -> csrf.disable())
                .addFilterBefore(authenticationTokenProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(oBOpenIdConnectFilter, UsernamePasswordAuthenticationFilter.class)
                        exceptionHandling -> exceptionHandling.authenticationEntryPoint(unauthorizedEntryPoint));

    public AuthenticationManager authenticationManager(UserDetailsService mongoDBConnection,
            PasswordEncoder passwordEncoder) {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();

        return new ProviderManager(authenticationProvider);

    CorsConfiguration apiConfigurationSource(HttpServletRequest request) {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setExposedHeaders(Arrays.asList("sdpauth, sdprefreshtoken"));
        configuration.setAllowedHeaders(Arrays.asList("*", "Content-Type", "Pragma", "Origin", "Authorization", "party",
                "X-XSRF-TOKEN", "X-Requested-With", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers",
                "Accept", "Access-Control-Allow-Credentials", "X-Auth-Token", "version", "cache"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"));
        return configuration;

    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();

    public AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter(UserDetailsService userService) {
        return new AuthenticationTokenProcessingFilter(userService);

I dont know exactly what change I need to make. in the CORS configuration as the other normal requests are working fine.

Edit: I did some debugging and found that request is not even reaching the spring layer. Tomcat takes the request as deceptive request routing or malformed and throws 400 bad request error. I also have a doubt on jersey 3 changes. But I couldn't find any error or warnings in log.

HTTP Status 400 – Bad Request
Type: Status Report
Description: The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).


I just found out that I used StrictHttpFirewall in my configuration. Instead I used DefaultHttpFirewall and it worked just fine.

public HttpFirewall defaultHttpFirewall() {
    return new DefaultHttpFirewall();

I realize you may be looking into this also, but I'd like to emphasize that the ideal would be to correct the URLs to not have a double-slash in them.

However, you can in the meantime configure the HttpFirewall to allow that pattern like so:

HttpFirewall httpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    return firewall;