shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Demers <brian.dem...@gmail.com>
Subject Re: URL Path matching issue with WebUtils.getPathWithinApplication
Date Tue, 06 Sep 2016 17:16:41 GMT
+1
Can you create a JIRA issue for this?
https://issues.apache.org/jira/browse/SHIRO/

On Sun, Sep 4, 2016 at 11:13 PM, mark <mb@mcgirrtech.com> wrote:
> I am using Shiro 1.3.1 to protect a web application running on tomcat 7.0.70.
> I have an issue with security caused by the pattern matching that happens in
> WebUtils.getPathWithinApplication()
>
> If I access my application using a url like:
>
> http://localhost:8080//context/path/Action.action
>
> (note the double // after the port):
>
> This causes shiro to not match any of my [urls]
>
> The cause of this appears to be in WebUtils.getPathWithinApplication()
>
> in WebUtils.getContextPath()
>   request.getContextPath() returns //context
>   which is left as //context
>
> In WebUtils.getRequestUri()
>   request.getRequestURI() returns //context/path/Action.action
>   this is then sanitized in the WebUtils.normalize() method to return
> /context/path/Action.action.
>
> WebUtils.getPathWithinApplication then compares the 2 values with:
>
> if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))
>
> Which doesn't match.
>
> So the method returns /context/path/Action.action instead of
> /path/Action.action
>
> Because all the matching URLS are /path/** they don't match the
> /context/path
>
> So PathMatchingFilterChainResolver.getChain() doesn't return any chains.
>
> It seems to me that the contextPath should also be passed through the
> normalize() method to remove the leading //
>
> Regards
> Mark
>
>
>
> --
> View this message in context: http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.

Mime
View raw message