--- title: URL handling description: Java Agent has a secure-by-default approach to handling incoming request URLs. Learn more in Path traversal attempts. component: java-agents version: 2025.11 page_id: java-agents:user-guide:url-handling canonical_url: https://docs.pingidentity.com/java-agents/2025.11/user-guide/url-handling.html --- # URL handling Java Agent has a secure-by-default approach to handling incoming request URLs. Learn more in [Path traversal attempts](../security-guide/threats.html#path-traversal-attempts). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Consider the following when configuring URL handling:- [Not-enforced rules](not-enforced-rules.html) and [AM policies](pep.html) are evaluated against normalized paths with the path parameters removed. - Encoded characters are case-insensitive. For example, `%2E` and `%2e` are handled in the same way. | Configure URL handling using the properties listed in [Configure behaviour](../properties-reference/preface.html#properties_by_function) in the *Properties reference*. Configure the following URL handling rules: * Character handling strategy properties The following properties control how certain characters are handled in incoming URL paths: * [Control Handling of the URL Encoded Sequence %2e](../properties-reference/org.forgerock.agents.percent.2e.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %2f](../properties-reference/org.forgerock.agents.percent.2f.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %3b](../properties-reference/org.forgerock.agents.percent.3b.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %5c](../properties-reference/org.forgerock.agents.percent.5c.handling.strategy.html) * [Control Handling of the Backslash Character](../properties-reference/org.forgerock.agents.backslash.handling.strategy.html) These properties are set to `REJECT_OUTRIGHT` by default, meaning the agent rejects any incoming URLs with an `HTTP 400` response if they contain the specified character in the URL path or path parameters. Other available settings are: * `ACCEPT_BUT_NOT_INTERPRET`: The agent doesn't change the character and continues processing the request. * `ACCEPT_AND_INTERPRET`: The agent replaces the character with its equivalent before processing. For encoded characters, other than the encoded backslash, the replacement is the equivalent unencoded character. For the encoded and unencoded backslash, the replacement is a forward slash (`/`). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When the [Control Handling of the URL Encoded Sequence %2f](../properties-reference/org.forgerock.agents.percent.2f.handling.strategy.html) property is set to `ACCEPT_AND_INTERPRET`, the `%2F` character is not replaced within path parameters because this isn't considered a path traversal attempt.For example, `/path/ignored;%2F../path` wouldn't be changed in this scenario. | * Control Handling of Path Traversal Attempts The [Control Handling of Path Traversal Attempts](../properties-reference/org.forgerock.agents.reject.path.traversal.attempts.enabled.html) property controls how path traversal attempts within the URL path are handled. By default, this property is set to `false`. Set this property to `true` to reject any embedded path traversal attempts with an `HTTP 400` response. This includes the use of `..` or combinations of `.` and `%2E` when they are used as a complete path segment. * Handle Invalid Escape Sequences The [Handle Invalid Escape Sequences](../properties-reference/org.forgerock.agents.reject.invalid.escape.sequences.enabled.html) property controls how encoded control characters and invalid encodings are handled. By default, the agent rejects any encoded control characters and invalid encodings detected in the URL path with an `HTTP 400` response. Encoded control characters are characters in the range `%00` to `%1F` inclusive, and `%7F`. Invalid encodings are encodings such as `%G1`. Set this property to `false` to allow these characters. * Strictly enforce the Java Servlet Specification The [Strictly enforce the Java Servlet Specification](../properties-reference/org.forgerock.agents.rigourously.enforce.jakarta.servlet.specification.enabled.html) property controls whether the rules specified in the Jakarta Servlet Specification [Request URI Path Processing](https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1#request-uri-path-processing) section are enforced. By default, the agent rejects any incoming URLs that don't conform to these rules with an `HTTP 400` response. Set this property to `false` to ignore these rules. * Enable Ignore Path Info The [Enable Ignore Path Info](../properties-reference/org.forgerock.agents.ignore.path.info.enabled.html) property controls whether the path info and query are removed from the URL before it is compared with the list of not-enforced URLs when a wildcard character (`*`) is present. By default, the agent doesn't change the URL before comparing it with the list of not-enforced URLs if `*` is detected in the URL path. Set this property to `true` if you want the agent to remove the path info and query first.