[ https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shilpi Das updated SHIRO-621: ----------------------------- Description: The following filter chains are present in configureShiroWeb() function addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "X")); addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y")); When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X. I am using Shiro 1.4.0-RC2 version and Guice 3.0. I have also tried using Shiro 1.4.0 with Guice 4.0. With Shiro 1.4.0 and Guice 4.0: The {{ShiroWebModule}} class is creating a randomly ordered path to config map in {{filterToPathToConfig}}, because it's using a HashMap instead of a LinkedHashMap. The offending line is here: [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144] #L161 This should be a LinkedHashMap to maintain original user order. was: The following filter chains are present in configureShiroWeb() function addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "X")); addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y")); When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X. I am using Shiro 1.4.0-RC2 version and Guice 3.0. I have also tried using Shiro 1.4.0 with Guice 4.0. With Shiro 1.4.0 and Guice 4.0: {{The ShiroWebModule class is creating a randomly ordered path to config map in filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.}} The offending line is here: [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144] #161 This should be a LinkedHashMap to maintain original user order. > REST filter bypassing matched path > ---------------------------------- > > Key: SHIRO-621 > URL: https://issues.apache.org/jira/browse/SHIRO-621 > Project: Shiro > Issue Type: Bug > Components: Integration: Guice > Affects Versions: 1.4.0-RC2, 1.4.0 > Environment: Google App Engine > Reporter: Shilpi Das > Assignee: Jared Bunting > Priority: Major > > The following filter chains are present in configureShiroWeb() function > addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), > filterConfig(REST, "X")); > addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, > "Y")); > When a request is made for an API- example.appspot.com/v1/first/second/third, > the first filter is bypassed and the access is granted for a user with > permission Y and not with X. > I am using Shiro 1.4.0-RC2 version and Guice 3.0. > I have also tried using Shiro 1.4.0 with Guice 4.0. > With Shiro 1.4.0 and Guice 4.0: > The {{ShiroWebModule}} class is creating a randomly ordered path to config > map in {{filterToPathToConfig}}, because it's using a HashMap instead of a > LinkedHashMap. > The offending line is here: > > [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144] > #L161 > This should be a LinkedHashMap to maintain original user order. -- This message was sent by Atlassian JIRA (v7.6.3#76005)