Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-184

ShiroFilterFactoryBean 'filterChainDefinitions' property does not retain URL path matching order

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 1.1.0
    • Component/s: Integration: Spring
    • Labels:
      None

      Description

      Workaround until the next point release: use the 'filterChainDefinitionMap' property instead - it does retain correct path matching order.

      The problem: the current 'setFilterChainDefinitions' implementation uses a java.util.Properties object to load the text block into key/value pairs. Unlike a LinkedHashMap, Properties do not retain definition order. For example, the following chain definitions would fail:

      / = anon
      /UIDL/ = anon
      /** authc

      In a simple test, the pattern matcher first evaluated a /UIDL/ request against /, which didn't match. It then tried to match the request against /** which did match. However, this is incorrect behavior, because there is a /UIDL/ chain defined which was never matched, resulting in a denied request, even though there is a validly defined (and ordered) pattern for it.

        Attachments

        1. shiro-jsecurity.patch
          4 kB
          Mathieu Carbou

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lhazlewood Les Hazlewood
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: