ffang commented on code in PR #1633:
URL: https://github.com/apache/cxf/pull/1633#discussion_r1449213099


##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java:
##########
@@ -202,7 +202,7 @@ protected boolean checkRequestURI(HttpServletRequest 
request, List<String> uris,
         if (uris.isEmpty()) {
             return true;
         }
-        String servletPath = request.getPathInfo();
+        String servletPath = request.getServletPath() + request.getPathInfo();

Review Comment:
   I don't think we need to worry about it.
   
   From the java doc of servlet-api 6
   ```
   /**
        * Returns any extra path information associated with the URL the client 
sent when it made this request. The extra path
        * information follows the servlet path but precedes the query string 
and will start with a "/" character.
        *
        * <p>
        * This method returns <code>null</code> if there was no extra path 
information.
        *
        * @return a <code>String</code> specifying extra path information that 
comes after the servlet path but before the
        * query string in the request URL; or <code>null</code> if the URL does 
not have any extra path information. The path
        * will be canonicalized as per section 3.5 of the specification. This 
method will not return any encoded characters
        * unless the container is configured specifically to allow them.
        * @throws IllegalArgumentException In standard configuration, this 
method will never throw. However, a container may be
        * configured to not reject some suspicious sequences identified by 
3.5.2, furthermore the container may be configured
        * to allow such paths to only be accessed via safer methods like {@link 
#getRequestURI()} and to throw
        * IllegalArgumentException if this method is called for such suspicious 
paths.
        */
       public String getPathInfo();
   ```
   
   So a "/" character is guaranteed here.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to