I am using Shiro 1.3.1 to protect a web application running on tomcat 7.0.70. I have an issue with security caused by the pattern matching that happens in WebUtils.getPathWithinApplication()
If I access my application using a url like: http://localhost:8080//context/path/Action.action (note the double // after the port): This causes shiro to not match any of my [urls] The cause of this appears to be in WebUtils.getPathWithinApplication() in WebUtils.getContextPath() request.getContextPath() returns //context which is left as //context In WebUtils.getRequestUri() request.getRequestURI() returns //context/path/Action.action this is then sanitized in the WebUtils.normalize() method to return /context/path/Action.action. WebUtils.getPathWithinApplication then compares the 2 values with: if (StringUtils.startsWithIgnoreCase(requestUri, contextPath)) Which doesn't match. So the method returns /context/path/Action.action instead of /path/Action.action Because all the matching URLS are /path/** they don't match the /context/path So PathMatchingFilterChainResolver.getChain() doesn't return any chains. It seems to me that the contextPath should also be passed through the normalize() method to remove the leading // Regards Mark -- View this message in context: http://shiro-developer.582600.n2.nabble.com/URL-Path-matching-issue-with-WebUtils-getPathWithinApplication-tp7579424.html Sent from the Shiro Developer mailing list archive at Nabble.com.
