Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.4.0-RC2, 1.4.0
-
None
-
None
-
Google App Engine
-
Important
Description
The following filter chains are present in configureShiroWeb() function
addFilterChain("/*/first/second/third/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
addFilterChain("/*/first/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
With Shiro 1.4.0 and Guice 4.0:
The ShiroWebModule class is creating a randomly ordered path to config map in filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.
The offending line is here:
https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java #L161
This should be a LinkedHashMap to maintain original user order.
Attachments
Issue Links
- links to
