Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-584

URL Path matching issue with WebUtils.getPathWithinApplication

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.1
    • Fix Version/s: 1.3.2
    • Labels:
      None
    • Environment:
      Shiro 1.3.1, Tomcat 7.0.70

      Description

      Summary:

      In WebUtils.getPathWithinApplication

      • request.getRequestURI() - Is normalized to remove //, ../, ./ etc
      • request.getContextPath() - is not normalized

      When these values are compared for which url authorization to use all existing rules are bypassed.

      Long Version:

      If I access my application using a url like:

      http://localhost:8080//context/path/Action.action

      (note the double // after the port):

      This causes shiro to not match any of my urls

      The cause of this appears to be in WebUtils.getPathWithinApplication()

      in WebUtils.getContextPath()
      request.getContextPath() returns //context
      which is left as //context

      In WebUtils.getRequestUri()
      request.getRequestURI() returns //context/path/Action.action
      this is then sanitized in the WebUtils.normalize() method to return /context/path/Action.action.

      WebUtils.getPathWithinApplication then compares the 2 values with:

      if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))

      Which doesn't match.

      So the method returns /context/path/Action.action instead of /path/Action.action

      Because all the matching URLS are /path/** they don't match the /context/path

      So PathMatchingFilterChainResolver.getChain() doesn't return any chains.

      It seems to me that the contextPath should also be passed through the normalize() method to remove the leading //

      Regards
      Mark

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mb@mcgirrtech.com Mark Bortolazzo
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: