[jira] [Created] (SHIRO-621) REST filter bypassing matched path
Shilpi Das created SHIRO-621:
Summary: REST filter bypassing matched path
Key: SHIRO-621
URL: https://issues.apache.org/jira/browse/SHIRO-621
Project: Shiro
Issue Type: Bug
Components: Integration: Guice
Affects Versions: 1.4.0-RC2
Environment: Google App Engine
Reporter: Shilpi Das
Assignee: Jared Bunting
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (SHIRO-621) REST filter bypassing matched path
[
https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shilpi Das updated SHIRO-621:
-
Affects Version/s: 1.4.0
Description:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
was:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0
> REST filter bypassing matched path
> --
>
> Key: SHIRO-621
> URL: https://issues.apache.org/jira/browse/SHIRO-621
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
>Affects Versions: 1.4.0-RC2, 1.4.0
> Environment: Google App Engine
>Reporter: Shilpi Das
>Assignee: Jared Bunting
>Priority: Major
>
> The following filter chains are present in configureShiroWeb() function
> addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
> filterConfig(REST, "X"));
> addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
> "Y"));
> When a request is made for an API- example.appspot.com/v1/first/second/third,
> the first filter is bypassed and the access is granted for a user with
> permission Y and not with X.
> I am using Shiro 1.4.0-RC2 version and Guice 3.0.
> I have also tried using Shiro 1.4.0 with Guice 4.0.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SHIRO-621) REST filter bypassing matched path
[
https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shilpi Das updated SHIRO-621:
-
Description:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
With Shiro 1.4.0 and Guice 4.0:
The {{ShiroWebModule}} class is creating a randomly ordered path to config map
in {{filterToPathToConfig}}, because it's using a HashMap instead of a
LinkedHashMap.
The offending line is here:
[https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144]
#L161
This should be a LinkedHashMap to maintain original user order.
was:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
With Shiro 1.4.0 and Guice 4.0:
{{The ShiroWebModule class is creating a randomly ordered path to config map in
filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.}}
The offending line is here:
[https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144]
#161
This should be a LinkedHashMap to maintain original user order.
> REST filter bypassing matched path
> --
>
> Key: SHIRO-621
> URL: https://issues.apache.org/jira/browse/SHIRO-621
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
>Affects Versions: 1.4.0-RC2, 1.4.0
> Environment: Google App Engine
>Reporter: Shilpi Das
>Assignee: Jared Bunting
>Priority: Major
>
> The following filter chains are present in configureShiroWeb() function
> addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
> filterConfig(REST, "X"));
> addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
> "Y"));
> When a request is made for an API- example.appspot.com/v1/first/second/third,
> the first filter is bypassed and the access is granted for a user with
> permission Y and not with X.
> I am using Shiro 1.4.0-RC2 version and Guice 3.0.
> I have also tried using Shiro 1.4.0 with Guice 4.0.
> With Shiro 1.4.0 and Guice 4.0:
> The {{ShiroWebModule}} class is creating a randomly ordered path to config
> map in {{filterToPathToConfig}}, because it's using a HashMap instead of a
> LinkedHashMap.
> The offending line is here:
>
> [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144]
> #L161
> This should be a LinkedHashMap to maintain original user order.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SHIRO-621) REST filter bypassing matched path
[
https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shilpi Das updated SHIRO-621:
-
Flags: Important
Description:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
With Shiro 1.4.0 and Guice 4.0:
{{The ShiroWebModule class is creating a randomly ordered path to config map in
filterToPathToConfig, because it's using a HashMap instead of a LinkedHashMap.}}
The offending line is here:
[https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144]
#161
This should be a LinkedHashMap to maintain original user order.
was:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
"Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third,
the first filter is bypassed and the access is granted for a user with
permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
> REST filter bypassing matched path
> --
>
> Key: SHIRO-621
> URL: https://issues.apache.org/jira/browse/SHIRO-621
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
>Affects Versions: 1.4.0-RC2, 1.4.0
> Environment: Google App Engine
>Reporter: Shilpi Das
>Assignee: Jared Bunting
>Priority: Major
>
> The following filter chains are present in configureShiroWeb() function
> addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC),
> filterConfig(REST, "X"));
> addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST,
> "Y"));
> When a request is made for an API- example.appspot.com/v1/first/second/third,
> the first filter is bypassed and the access is granted for a user with
> permission Y and not with X.
> I am using Shiro 1.4.0-RC2 version and Guice 3.0.
> I have also tried using Shiro 1.4.0 with Guice 4.0.
> With Shiro 1.4.0 and Guice 4.0:
> {{The ShiroWebModule class is creating a randomly ordered path to config map
> in filterToPathToConfig, because it's using a HashMap instead of a
> LinkedHashMap.}}
> The offending line is here:
> [https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java|https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/ShiroWebModule.java#L144]
> #161
> This should be a LinkedHashMap to maintain original user order.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
