Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked

Ronald Feicht (Jira) Thu, 04 May 2023 06:45:04 -0700


    [ 
https://issues.apache.org/jira/browse/SHIRO-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719328#comment-17719328
 ]


Ronald Feicht edited comment on SHIRO-906 at 5/4/23 1:44 PM:
-------------------------------------------------------------

Sure, we use CDI adapted from [https://github.com/ops4j/org.ops4j.pax.shiro] to 
inject our own beans (cacheManagerInfinispan, fileHostingFilter ...):

[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
securityManager.cacheManager = $cacheManagerInfinispan

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SsoCookie
cookie.path = /
cookie.secure = true
cookie.sameSite = NONE
cookie.httpOnly = true
securityManager.sessionManager.sessionIdCookie = $cookie

credentialsMatcher = org.apache.shiro.authc.credential.Sha512CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 500000
mongoRealm.credentialsMatcher = $credentialsMatcher

firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
securityManager.realms = $mongoRealm

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /welcome.xhtml

logout = org.apache.shiro.web.filter.authc.LogoutFilter
logout.redirectUrl = /login.xhtml

[urls]
/login.xhtml = ssl[443], authc
/logout = logout

/javax.faces.resource/** = ssl[443], anon
/automation.xhtml = ssl[443], authc, perms["base:navigation:automation"]
/exhortation.xhtml = ssl[443], authc, perms["base:navigation:exhortation"]
/exhortationTree.xhtml = ssl[443], authc, perms["dms:navigation:exhortations"]
/management.xhtml = ssl[443], authc, perms["base:navigation:management"]
/office.xhtml = ssl[443], perms["dms:navigation:office"]
/workflow.xhtml = ssl[443], authc, perms["dms:navigation:workflow"]
/rest/wopi/files/cors = noSessionCreation, ssl[443], anon
/rest/gitVersion = noSessionCreation, ssl[443], anon
/rest/version = noSessionCreation, ssl[443], anon
/rest/** = noSessionCreation, ssl[443], authcBasic
/filehosting/** = ssl[443], fileHostingFilter
/** = ssl[443], authc


was (Author: scsynergy):
Sure, we use CDI adapted from [https://github.com/ops4j/org.ops4j.pax.shiro] to 
inject our own beans (cacheManagerInfinispan, fileHostingFilter ...):

[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
securityManager.cacheManager = $cacheManagerInfinispan

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SsoCookie
cookie.path = /
cookie.secure = true
cookie.sameSite = NONE
cookie.httpOnly = true
securityManager.sessionManager.sessionIdCookie = $cookie

credentialsMatcher = org.apache.shiro.authc.credential.Sha512CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 500000
mongoRealm.credentialsMatcher = $credentialsMatcher

firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
securityManager.realms = $jjwtRealm, $mongoRealm

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /welcome.xhtml

logout = org.apache.shiro.web.filter.authc.LogoutFilter
logout.redirectUrl = /login.xhtml

[urls]
/login.xhtml = ssl[443], authc
/logout = logout

/javax.faces.resource/** = ssl[443], anon
/automation.xhtml = ssl[443], authc, perms["base:navigation:automation"]
/exhortation.xhtml = ssl[443], authc, perms["base:navigation:exhortation"]
/exhortationTree.xhtml = ssl[443], authc, perms["dms:navigation:exhortations"]
/management.xhtml = ssl[443], authc, perms["base:navigation:management"]
/office.xhtml = ssl[443], perms["dms:navigation:office"]
/workflow.xhtml = ssl[443], authc, perms["dms:navigation:workflow"]
/rest/wopi/files/cors = noSessionCreation, ssl[443], anon
/rest/gitVersion = noSessionCreation, ssl[443], anon
/rest/version = noSessionCreation, ssl[443], anon
/rest/** = noSessionCreation, ssl[443], authcBasic
/filehosting/** = ssl[443], fileHostingFilter
/** = ssl[443], authc

> URIs like 
> "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf"
>  are blocked
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-906
>                 URL: https://issues.apache.org/jira/browse/SHIRO-906
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 
> 1.11.0, 1.11.1
>            Reporter: Ronald Feicht
>            Priority: Major
>
> When a user uploads a PDF document to this URI:
> [https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
> which is the url-encoded form of
> "[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung
>  
> 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]";
> an HTTP 400 response is generated by Shiro with this as the body:
> {color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#000000} 
> {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid
>  
> request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
>  
> {color:#383838}With Shiro version 1.6.0 the upload worked. 
> {color}{color:#383838}Digging through Shiro's code I found {color}
> {color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line 
> 67:{color}
> {color:#383838}return !StringUtils.hasText(uri){color}
> {color:#383838}which means that a URI which is null or has zero length or 
> consists only of whitespace should be considered a valid URI. I am pretty 
> sure this is not what the author intended and that the "!" just needs to be 
> removed to fix this bug.{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Comment Edited] (SHIRO-906) URIs like "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked

Reply via email to