Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-497

setFilterChainDefinitionMap accepts Map interface objects, whose implementations are mostly unordered

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Configuration
    • Labels:
      None

      Description

      org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method, setFilterChainDefinitionMap which accepts Map interface objects. Most Map interface objects have no guaranteed order, but the filter chain definitions rely heavily on specific ordering for the application of rules.

      For example,

          Map<String, String> filterChainDefs = new HashMap<String, String>();
          filterChainDefs.put("/s/test", "authc");
          filterChainDefs.put("/s/**", "anon");
          shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);
      

      In this example, this structure is acceptable to the setter on shiroFilterFactoryBean, but will non-deterministically allow or deny access to /s/test between server restarts.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sanimalp Jon Steege
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: