shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (SHIRO-584) URL Path matching issue with WebUtils.getPathWithinApplication
Date Wed, 28 Sep 2016 13:16:20 GMT

     [ https://issues.apache.org/jira/browse/SHIRO-584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Brian Demers resolved SHIRO-584.
--------------------------------
       Resolution: Fixed
    Fix Version/s: 1.3.2

> URL Path matching issue with WebUtils.getPathWithinApplication
> --------------------------------------------------------------
>
>                 Key: SHIRO-584
>                 URL: https://issues.apache.org/jira/browse/SHIRO-584
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authorization (access control) 
>    Affects Versions: 1.3.1
>         Environment: Shiro 1.3.1, Tomcat 7.0.70
>            Reporter: Mark Bortolazzo
>             Fix For: 1.3.2
>
>
> Summary:
> In WebUtils.getPathWithinApplication
>   - request.getRequestURI() - Is normalized to remove //, ../, ./ etc
>   - request.getContextPath() - is not normalized
> When these values are compared for which url authorization to use all existing rules
are bypassed.
> Long Version:
> If I access my application using a url like:
> http://localhost:8080//context/path/Action.action
> (note the double // after the port):
> This causes shiro to not match any of my urls
> The cause of this appears to be in WebUtils.getPathWithinApplication()
> in WebUtils.getContextPath()
>   request.getContextPath() returns //context
>   which is left as //context
> In WebUtils.getRequestUri()
>   request.getRequestURI() returns //context/path/Action.action
>   this is then sanitized in the WebUtils.normalize() method to return /context/path/Action.action.
> WebUtils.getPathWithinApplication then compares the 2 values with:
> if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))
> Which doesn't match.
> So the method returns /context/path/Action.action instead of /path/Action.action
> Because all the matching URLS are /path/** they don't match the /context/path
> So PathMatchingFilterChainResolver.getChain() doesn't return any chains.
> It seems to me that the contextPath should also be passed through the normalize() method
to remove the leading //
> Regards
> Mark 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message