Mark Bortolazzo created SHIRO-584:
-------------------------------------
Summary: URL Path matching issue with
WebUtils.getPathWithinApplication
Key: SHIRO-584
URL: https://issues.apache.org/jira/browse/SHIRO-584
Project: Shiro
Issue Type: Bug
Components: Authorization (access control)
Affects Versions: 1.3.1
Environment: Shiro 1.3.1, Tomcat 7.0.70
Reporter: Mark Bortolazzo
Summary:
In WebUtils.getPathWithinApplication
- request.getRequestURI() - Is normalized to remove //, ../, ./ etc
- request.getContextPath() - is not normalized
When these values are compared for which url authorization to use all existing
rules are bypassed.
Long Version:
If I access my application using a url like:
http://localhost:8080//context/path/Action.action
(note the double // after the port):
This causes shiro to not match any of my urls
The cause of this appears to be in WebUtils.getPathWithinApplication()
in WebUtils.getContextPath()
request.getContextPath() returns //context
which is left as //context
In WebUtils.getRequestUri()
request.getRequestURI() returns //context/path/Action.action
this is then sanitized in the WebUtils.normalize() method to return
/context/path/Action.action.
WebUtils.getPathWithinApplication then compares the 2 values with:
if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))
Which doesn't match.
So the method returns /context/path/Action.action instead of /path/Action.action
Because all the matching URLS are /path/** they don't match the /context/path
So PathMatchingFilterChainResolver.getChain() doesn't return any chains.
It seems to me that the contextPath should also be passed through the
normalize() method to remove the leading //
Regards
Mark
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
