- request.getRequestURI() - Is normalized to remove //, ../, ./ etc
- request.getContextPath() - is not normalized
When these values are compared for which url authorization to use all existing rules are bypassed.
If I access my application using a url like:
(note the double // after the port):
This causes shiro to not match any of my urls
The cause of this appears to be in WebUtils.getPathWithinApplication()
request.getContextPath() returns //context
which is left as //context
request.getRequestURI() returns //context/path/Action.action
this is then sanitized in the WebUtils.normalize() method to return /context/path/Action.action.
WebUtils.getPathWithinApplication then compares the 2 values with:
if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))
Which doesn't match.
So the method returns /context/path/Action.action instead of /path/Action.action
Because all the matching URLS are /path/** they don't match the /context/path
So PathMatchingFilterChainResolver.getChain() doesn't return any chains.
It seems to me that the contextPath should also be passed through the normalize() method to remove the leading //