I have created an issue here: https://issues.apache.org/jira/browse/SHIRO-584
I'm currently using this at the end of my shiro.ini to stop authorisation bypass. It just dumps any access via // to nowhere: #this is for an issue in Shiro that lets // bypass the urls...... //** = authc, roles[NoUsers] #we should never hit this one because we should always match something else...... /** = authc, roles[administrator] Regards Mark On 07/09/16 03:17, Brian Demers [via Shiro Developer] wrote: > +1 > Can you create a JIRA issue for this? > https://issues.apache.org/jira/browse/SHIRO/ > > On Sun, Sep 4, 2016 at 11:13 PM, mark <[hidden email] > </user/SendEmail.jtp?type=node&node=7579429&i=0>> wrote: > > > I am using Shiro 1.3.1 to protect a web application running on > tomcat 7.0.70. > > I have an issue with security caused by the pattern matching that > happens in > > WebUtils.getPathWithinApplication() > > > > If I access my application using a url like: > > > > http://localhost:8080//context/path/Action.action > > > > (note the double // after the port): > > > > This causes shiro to not match any of my [urls] > > > > The cause of this appears to be in WebUtils.getPathWithinApplication() > > > > in WebUtils.getContextPath() > > request.getContextPath() returns //context > > which is left as //context > > > > In WebUtils.getRequestUri() > > request.getRequestURI() returns //context/path/Action.action > > this is then sanitized in the WebUtils.normalize() method to return > > /context/path/Action.action. > > > > WebUtils.getPathWithinApplication then compares the 2 values with: > > > > if (StringUtils.startsWithIgnoreCase(requestUri, contextPath)) > > > > Which doesn't match. > > > > So the method returns /context/path/Action.action instead of > > /path/Action.action > > > > Because all the matching URLS are /path/** they don't match the > > /context/path > > > > So PathMatchingFilterChainResolver.getChain() doesn't return any > chains. > > > > It seems to me that the contextPath should also be passed through the > > normalize() method to remove the leading // > > > > Regards > > Mark > > > > > > > > -- > > View this message in context: > http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424.html > > Sent from the Shiro Developer mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------ > If you reply to this email, your message will be added to the > discussion below: > http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424p7579429.html > > > To unsubscribe from URL Path matching issue with > WebUtils.getPathWithinApplication, click here > <http://shiro-developer.582600.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7579424&code=bWJAbWNnaXJydGVjaC5jb218NzU3OTQyNHwtMTcyMjMwODUyOA==>. > NAML > <http://shiro-developer.582600.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > -- View this message in context: http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424p7579431.html Sent from the Shiro Developer mailing list archive at Nabble.com.
