Affects Version/s: 1.4.0-RC2, 1.4.0
Fix Version/s: None
Component/s: Integration: Guice
Environment:Google App Engine
The following filter chains are present in configureShiroWeb() function
addFilterChain("/*/first/second/third/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
addFilterChain("/*/first/*", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
With Shiro 1.4.0 and Guice 4.0:
The ShiroWebModule class is creating a randomly ordered path to config map in filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.
The offending line is here:
This should be a LinkedHashMap to maintain original user order.