This behavior is introduced in all major Tomcat releases:
- Tomcat 7.0.73, 8.0.39, 8.5.7
To fix, do one of the following:
- set
relaxedQueryCharsto allow this character
(recommended, see Lincoln’s answer) - set
requestTargetAllowoption
(deprecated in Tomcat 8.5) (see Jérémie’s answer). - you can downgrade to one of older versions (not recommended – security)
Based on changelog, those changes could affect this behavior:
Tomcat 8.5.3:
Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response
Tomcat 8.5.7:
Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner.
The best option (following the standard) – you want to encode your URL on client:
encodeURI("http://localhost:8080/app/handleResponse?msg=name|id|")
> http://localhost:8080/app/handleResponse?msg=name%7Cid%7C
or just query string:
encodeURIComponent("msg=name|id|")
> msg%3Dname%7Cid%7C
It will secure you from other problematic characters (list of invalid URI characters).