[
https://issues.apache.org/jira/browse/KNOX-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028266#comment-17028266
]
Kevin Risden commented on KNOX-2221:
------------------------------------
The issue definitely relates to SHIRO-682.
Knox sets up the shiro.ini with this in the topology
{code:java}
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
{code}
in shiro.ini this ends up being
{code:java}
[urls]
/**=authcBasic
{code}
Based on my understanding of Shiro, this means it should apply to all request
endpoints.
https://github.com/apache/knox/blob/master/gateway-test/src/test/java/org/apache/knox/gateway/GatewayAppFuncTest.java#L156
The first request works since the context path ends up being:
"/index.html"
Since it doesn't end in "/", the uri isn't modified. "/index.html" it ends up
matching "/**"
The second request is "/" based on the context path.
After the changes in SHIRO-682, this means that "/" is a trailing slash and is
stripped. The request url is now empty "".
When "" is tried to match against "/**" it doesn't match and basic auth is not
applied to the request. This results in a null subject since Shiro isn't
authorizing the unmatched paths.
I think this is a pretty big issue since hitting a direct endpoint "/" will end
up not matching the "/**" default pattern which seems recommended for Shiro.
> Upgrade shiro to 1.5.0
> ----------------------
>
> Key: KNOX-2221
> URL: https://issues.apache.org/jira/browse/KNOX-2221
> Project: Apache Knox
> Issue Type: Sub-task
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 1.4.0
>
> Attachments: log.txt.gz
>
>
> Upgrade shiro 1.4.2 to 1.5.0
> Shiro 1.5.0 release notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12344991
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
