Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-621

REST filter bypassing matched path

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.4.0-RC2, 1.4.0
    • Fix Version/s: None
    • Component/s: Integration: Guice
    • Labels:
      None
    • Environment:
      Google App Engine
    • Flags:
      Important

      Description

      The following filter chains are present in configureShiroWeb() function

      addFilterChain("/*/first/second/third/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
      addFilterChain("/*/first/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));

      When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.

      I am using Shiro 1.4.0-RC2 version and Guice 3.0.

      I have also tried using Shiro 1.4.0 with Guice 4.0.

      With Shiro 1.4.0 and Guice 4.0:

      The ShiroWebModule class is creating a randomly ordered path to config map in filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.

      The offending line is here:
      https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java #L161

      This should be a LinkedHashMap to maintain original user order.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                deraj123 Jared Bunting
                Reporter:
                Shilpi Das Shilpi Das
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: