[SHIRO-497] setFilterChainDefinitionMap accepts Map interface objects, whose implementations are mostly unordered - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Add vote

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Configuration
Labels:
None

Description

org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method, setFilterChainDefinitionMap which accepts Map interface objects. Most Map interface objects have no guaranteed order, but the filter chain definitions rely heavily on specific ordering for the application of rules.

For example,

    Map<String, String> filterChainDefs = new HashMap<String, String>();
    filterChainDefs.put("/s/test", "authc");
    filterChainDefs.put("/s/**", "anon");
    shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);

In this example, this structure is acceptable to the setter on shiroFilterFactoryBean, but will non-deterministically allow or deny access to /s/test between server restarts.