Finally figured out the cause of this (both for JBoss and Apache). Both applications intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities.
Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
http://securitytracker.com/id/1018110 (Look at section 4. Solution)
And here are the instructions they provide for enabling this behavior in JBoss:
Note: In response to CVE-2007-0450, JBoss AS considers encoded slashes and backslashes in URLs invalid and its usage will result in HTTP 400 error. It is possible to allow encoded slashes and backslashes by following the steps outlined below, however doing so will expose you to CVE-2007-0450 related attacks:
a) If you use the /var/lib/jbossas/bin/run.sh setup, please edit /etc/jbossas/run.conf and append
– -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
– -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true to the string assigned to JAVA_OPTS
b) If you use the init script setup to run multiple JBoss AS services and you wish to allow encoding by default on all services, please edit /etc/jbossas/jbossas.conf and add the line JAVA_OPTS=”${JAVA_OPTS}
– -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
– -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true”
c) If you use the init script setup to run multiple JBoss AS services and want to allow encoding of slashes and backslashes for a particular service, please edit /etc/sysconfig/${NAME} (where NAME is the name of your service) and add the line JAVA_OPTS=”${JAVA_OPTS}
– -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
– -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true”
For Apache, it’s as simple as setting “AllowEncodedSlashes NoDecode” somewhere in your apache conf or vhost conf (doesn’t work in an .htaccess, however).
Apache link: http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes