shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-621) REST filter bypassing matched path
Date Mon, 26 Feb 2018 11:09:00 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376677#comment-16376677
] 

ASF GitHub Bot commented on SHIRO-621:
--------------------------------------

GitHub user ittiaminsite opened a pull request:

    https://github.com/apache/shiro/pull/79

    Fix for SHIRO-621: REST filter bypassing matched path

    Use LinkedHashMap to maintain order of path to config map in filter chain in ShiroWebModule.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ittiaminsite/shiro master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/shiro/pull/79.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #79
    
----
commit 6f9d79d8e43353d1a1c01b1bd92dccf5e2c21bad
Author: Ittiam Insite <admin@...>
Date:   2018-02-26T10:46:54Z

    Fix for SHIRO-621: REST filter bypassing matched path

----


> REST filter bypassing matched path
> ----------------------------------
>
>                 Key: SHIRO-621
>                 URL: https://issues.apache.org/jira/browse/SHIRO-621
>             Project: Shiro
>          Issue Type: Bug
>          Components: Integration: Guice
>    Affects Versions: 1.4.0-RC2, 1.4.0
>         Environment: Google App Engine
>            Reporter: Shilpi Das
>            Assignee: Jared Bunting
>            Priority: Major
>
> The following filter chains are present in configureShiroWeb() function
> addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"X"));
>  addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
> When a request is made for an API- example.appspot.com/v1/first/second/third, the first
filter is bypassed and the access is granted for a user with permission Y and not with X.
> I am using Shiro 1.4.0-RC2 version and Guice 3.0.
> I have also tried using Shiro 1.4.0 with Guice 4.0.
> With Shiro 1.4.0 and Guice 4.0:
> The {{ShiroWebModule}} class is creating a randomly ordered path to config map in {{filterToPathToConfig}},
because it's using a HashMap instead of a LinkedHashMap.
> The offending line is here:
>  [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144] #L161
> This should be a LinkedHashMap to maintain original user order.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message