shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mark ...@mcgirrtech.com>
Subject Re: URL Path matching issue with WebUtils.getPathWithinApplication
Date Tue, 06 Sep 2016 22:59:16 GMT
I have created an issue here:

https://issues.apache.org/jira/browse/SHIRO-584

I'm currently using this at the end of my shiro.ini to stop 
authorisation bypass.  It just dumps any access via // to nowhere:


#this is for an issue in Shiro that lets // bypass the urls......
//** = authc, roles[NoUsers]

#we should never hit this one because we should always match something 
else......
/** = authc, roles[administrator]


Regards
Mark


On 07/09/16 03:17, Brian Demers [via Shiro Developer] wrote:
> +1
> Can you create a JIRA issue for this?
> https://issues.apache.org/jira/browse/SHIRO/
>
> On Sun, Sep 4, 2016 at 11:13 PM, mark <[hidden email] 
> </user/SendEmail.jtp?type=node&node=7579429&i=0>> wrote:
>
> > I am using Shiro 1.3.1 to protect a web application running on 
> tomcat 7.0.70.
> > I have an issue with security caused by the pattern matching that 
> happens in
> > WebUtils.getPathWithinApplication()
> >
> > If I access my application using a url like:
> >
> > http://localhost:8080//context/path/Action.action
> >
> > (note the double // after the port):
> >
> > This causes shiro to not match any of my [urls]
> >
> > The cause of this appears to be in WebUtils.getPathWithinApplication()
> >
> > in WebUtils.getContextPath()
> >   request.getContextPath() returns //context
> >   which is left as //context
> >
> > In WebUtils.getRequestUri()
> >   request.getRequestURI() returns //context/path/Action.action
> >   this is then sanitized in the WebUtils.normalize() method to return
> > /context/path/Action.action.
> >
> > WebUtils.getPathWithinApplication then compares the 2 values with:
> >
> > if (StringUtils.startsWithIgnoreCase(requestUri, contextPath))
> >
> > Which doesn't match.
> >
> > So the method returns /context/path/Action.action instead of
> > /path/Action.action
> >
> > Because all the matching URLS are /path/** they don't match the
> > /context/path
> >
> > So PathMatchingFilterChainResolver.getChain() doesn't return any 
> chains.
> >
> > It seems to me that the contextPath should also be passed through the
> > normalize() method to remove the leading //
> >
> > Regards
> > Mark
> >
> >
> >
> > --
> > View this message in context: 
> http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424.html
> > Sent from the Shiro Developer mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> If you reply to this email, your message will be added to the 
> discussion below:
> http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424p7579429.html

>
> To unsubscribe from URL Path matching issue with 
> WebUtils.getPathWithinApplication, click here 
> <http://shiro-developer.582600.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7579424&code=bWJAbWNnaXJydGVjaC5jb218NzU3OTQyNHwtMTcyMjMwODUyOA==>.
> NAML 
> <http://shiro-developer.582600.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>

>





--
View this message in context: http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424p7579431.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Mime
View raw message