This is why I said use a default denial at the end of the urls section: /** = denyAccessFilter
If no filter is matched until last one, at the end it will be denied. On Fri, Feb 26, 2016 at 2:17 PM, Mohit Srivastava < [email protected]> wrote: > Alex, I have that behaviour. > But think about a case, I have added a new call in server "/rest/blah". > But I haven't added it in shiro.ini (by mistake). In that case, if I will > try to access "/rest/blah", shiro will allow it. > But as a security concern, shiro shouldn't do that. By default nature > should be "denial". > > On Fri, 26 Feb 2016 at 16:20 Alex Ditu <[email protected]> wrote: > >> I meant put it last in shiro.ini, in [urls] section. But you have to >> match all your other urls. If you have 3 pages, you could do something like >> this: >> >> [urls] >> /page1 = anon >> /page2 = authc >> /page3 = authc >> >> #anything else >> /** = forbbidenUrlFilter >> >> But you need to specify all the good urls before the last filter, which >> is hard if you have too many pages. >> >> Why do you need this, isn't your server default behavior to return 404 if >> the page isn't found? >> >> On Fri, Feb 26, 2016 at 12:42 PM, Mohit Srivastava < >> [email protected]> wrote: >> >>> Alex, >>> >>> I already have a filter, but it doesn't working. The logic in preHandle >>> of PathMatchingFilter is allow the url if it not matches. I override that >>> logic. >>> Also can you please explain what do you mean by "put it at last" ? >>> >>> public class ForbiddenUrlFilter extends PathMatchingFilter >>> { >>> >>> private static final Logger log = >>> LoggerFactory.getLogger(ForbiddenUrlFilter.class); >>> @Override >>> protected boolean preHandle(final ServletRequest request, final >>> ServletResponse response) throws Exception { >>> if (appliedPaths == null || appliedPaths.isEmpty()) { >>> return true; >>> } >>> >>> for (final String path : appliedPaths.keySet()) { >>> if (pathsMatch(path, request)) { >>> log.trace("Current requestURI matches pattern \'{}\'. >>> Determining filter chain execution...", path); >>> return true; >>> } >>> } >>> WebUtils.toHttp(response).sendError(404); >>> return false; >>> } >>> } >>> >>> On Fri, 26 Feb 2016 at 15:52 Alex Ditu <[email protected]> wrote: >>> >>>> Use a filter to redirect the request or tell the user that path >>>> doesen't exists, and put it last and make it match everything, like this: >>>> >>>> [urls] >>>> ... >>>> /** = yourFilterForBadPath >>>> >>>> On Thu, Feb 25, 2016 at 11:26 PM, Mohit Srivastava < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Shiro's default behaviour for path mismatch is nothing. I mean if a >>>>> request url path doesn't match any thing defined in Filter chain, shiro >>>>> used to pass it instead of failing. >>>>> >>>>> Is there a way I can simply reject those path which are not defined in >>>>> filterchain? >>>>> >>>>> Thanks & Regards, >>>>> Mohit >>>>> >>>> >>>> >>
