Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-184

ShiroFilterFactoryBean 'filterChainDefinitions' property does not retain URL path matching order

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.0.0
    • 1.1.0
    • Integration: Spring
    • None

    Description

      Workaround until the next point release: use the 'filterChainDefinitionMap' property instead - it does retain correct path matching order.

      The problem: the current 'setFilterChainDefinitions' implementation uses a java.util.Properties object to load the text block into key/value pairs. Unlike a LinkedHashMap, Properties do not retain definition order. For example, the following chain definitions would fail:

      / = anon
      /UIDL/ = anon
      /** authc

      In a simple test, the pattern matcher first evaluated a /UIDL/ request against /, which didn't match. It then tried to match the request against /** which did match. However, this is incorrect behavior, because there is a /UIDL/ chain defined which was never matched, resulting in a denied request, even though there is a validly defined (and ordered) pattern for it.

      Attachments

        1. shiro-jsecurity.patch
          4 kB
          Mathieu Carbou

        Issue Links

          depends upon

          Bug - A problem which impairs or prevents the functions of the product. SHIRO-197 Ini and Ini.Section should retain key-value definition order

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              lhazlewood Les Hazlewood
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: