+1 Can you create a JIRA issue for this? https://issues.apache.org/jira/browse/SHIRO/
On Sun, Sep 4, 2016 at 11:13 PM, mark <[email protected]> wrote: > I am using Shiro 1.3.1 to protect a web application running on tomcat 7.0.70. > I have an issue with security caused by the pattern matching that happens in > WebUtils.getPathWithinApplication() > > If I access my application using a url like: > > http://localhost:8080//context/path/Action.action > > (note the double // after the port): > > This causes shiro to not match any of my [urls] > > The cause of this appears to be in WebUtils.getPathWithinApplication() > > in WebUtils.getContextPath() > request.getContextPath() returns //context > which is left as //context > > In WebUtils.getRequestUri() > request.getRequestURI() returns //context/path/Action.action > this is then sanitized in the WebUtils.normalize() method to return > /context/path/Action.action. > > WebUtils.getPathWithinApplication then compares the 2 values with: > > if (StringUtils.startsWithIgnoreCase(requestUri, contextPath)) > > Which doesn't match. > > So the method returns /context/path/Action.action instead of > /path/Action.action > > Because all the matching URLS are /path/** they don't match the > /context/path > > So PathMatchingFilterChainResolver.getChain() doesn't return any chains. > > It seems to me that the contextPath should also be passed through the > normalize() method to remove the leading // > > Regards > Mark > > > > -- > View this message in context: > http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424.html > Sent from the Shiro Developer mailing list archive at Nabble.com.
