spring mvc - java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name

Question

I have a Spring MVC application running on Tomcat8. Once in a day or two I get an exception in my log file

15-Jun-2016 10:43:39.832 INFO [http-nio-8080-exec-50] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
 java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name
    at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:228)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

does anybody have an idea what this might be?

Answer 1

This error is caused by malformed HTTP request. In most cases this message is misleading because this error usually happens when you are trying to access unsecured page through https. Tomcat doesn't know that incoming request is encrypted and is trying to interpret this request as plain, unsecured http request.

This is how it could look in logs:

Standard, proper HTTP request (http://localhost:8080)

Received [GET /index.html HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl,en-US;q=0.8,en;q=0.6
Cookie: Idea-xxxxx; JSESSIONID=3dxxxxx

] 

HTTPS request (https://localhost:8080)

Received [1μH?;?!P@<?
                                                                                                                                #|vFBb-?i?/5
j?

                   hhttp/1.1uP
                               
] 

As you can see in second request, there are unknown chars instead of proper HTTP method name (e.g. GET)

So if your server has no SSL configuration and error occurs "once in a day or two", then probably someone is trying to reach your website through https (probably some kind of bot)

Eventually someone is trying to send nonsecured but malformed plain HTTP request (through his own application - bot or other custom client).