Sorry for being a bit late to the party. Thanks Barry for reporting and already proposing a patch. Yes, it really seems it's a feature of Shiro. I do a find it a bit funny though (yes, I'm a Shiro committer but haven't been on board from the beginning) that it's the default behavior and that there's no configurable option to make it case insensitive even if this is never an issue if your resource urls are case sensitive. Regardless, Tapestry treating urls as case insensitive makes this a bug in tapestry-security. Lowercasing all urls repeatedly incurs a perfomance penalty, so I'll make this configurable (you may have url normalizers etc. running in front of Tapestry app). I'll open an issue against Shiro, but will have a fix for tapestry-security available sooner than that. The turn-around time for modifying and releasing tap-sec is quite a bit faster than for Shiro. And just a note on annotations vs url matching - I always suggest using both if you are serious about security.
Kalle On Fri, Feb 4, 2011 at 4:32 AM, Barry Books <trs...@gmail.com> wrote: > First I'd like to say the Tynamo-Security/Shiro package is great, but > I've run into a simple problem I'm not sure how to solve. I don't > think it's really a Tynamo problem but an interaction between how > Shiro expects URLs to work and Tapestry case insensitive URLs. I was > working on a simple site with an admin account and an admin directory > so I added the following to the shiro.ini file: > > [urls] > /admin/** = authc, roles[administrator] > > The problem is if you go to /Admin the authentication is bypassed > because /admin != /Admin. I realize this is a feature but it does not > seem very desirable. I also realize I could annotate all my admin > pages and fix this but that's some amount of work and error prone. I > looked thru the Shiro docs and I don't see anyway to do a case > insensitive match. I thought I might be able to fix this with a > URLRewriter and map /Admin to /admin but that does not seem to work > either. > > Am I missing something? Is there any simple way to resolve this? > > Thanks > Barry > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
