Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-584

URL Path matching issue with WebUtils.getPathWithinApplication

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.3.1
    • 1.3.2
    • None
    • Shiro 1.3.1, Tomcat 7.0.70

    Description

      Summary:

      In WebUtils.getPathWithinApplication

      • request.getRequestURI() - Is normalized to remove //, ../, ./ etc
      • request.getContextPath() - is not normalized

      When these values are compared for which url authorization to use all existing rules are bypassed.

      Long Version:

      If I access my application using a url like:

      http://localhost:8080//context/path/Action.action

      (note the double // after the port):

      This causes shiro to not match any of my urls

      The cause of this appears to be in WebUtils.getPathWithinApplication()

      in WebUtils.getContextPath()
      request.getContextPath() returns //context
      which is left as //context

      In WebUtils.getRequestUri()
      request.getRequestURI() returns //context/path/Action.action
      this is then sanitized in the WebUtils.normalize() method to return /context/path/Action.action.

      WebUtils.getPathWithinApplication then compares the 2 values with:

      if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))

      Which doesn't match.

      So the method returns /context/path/Action.action instead of /path/Action.action

      Because all the matching URLS are /path/** they don't match the /context/path

      So PathMatchingFilterChainResolver.getChain() doesn't return any chains.

      It seems to me that the contextPath should also be passed through the normalize() method to remove the leading //

      Regards
      Mark

      Attachments

        Activity

          People

            Unassigned Unassigned
            mb@mcgirrtech.com Mark Bortolazzo
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: