shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Richardson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-497) setFilterChainDefinitionMap accepts Map interface objects, whose implementations are mostly unordered
Date Thu, 17 Mar 2016 14:21:33 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15199597#comment-15199597
] 

Mike Richardson commented on SHIRO-497:
---------------------------------------

Agreed, the setFilterChainDefinitionMap method signature should not accept a Map here, since
there is nothing in the Map contract that guarantees order.  

As a workaround, users should use a LinkedHashMap, which will iterate in the order in which
the entries were put into the map.

> setFilterChainDefinitionMap accepts Map interface objects, whose implementations are
mostly unordered
> -----------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-497
>                 URL: https://issues.apache.org/jira/browse/SHIRO-497
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Configuration
>            Reporter: Jon Steege
>            Priority: Minor
>
> org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method,  setFilterChainDefinitionMap
which accepts Map interface objects. Most Map interface objects have no guaranteed order,
 but the filter chain definitions rely heavily on specific ordering for the application of
rules. 
> For example, 
> {code}
>     Map<String, String> filterChainDefs = new HashMap<String, String>();
>     filterChainDefs.put("/s/test", "authc");
>     filterChainDefs.put("/s/**", "anon");
>     shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);
> {code}
> In this example, this structure is acceptable to the setter on shiroFilterFactoryBean,
but will non-deterministically allow or deny access to /s/test between server restarts. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message