Alex, I have that behaviour. But think about a case, I have added a new call in server "/rest/blah". But I haven't added it in shiro.ini (by mistake). In that case, if I will try to access "/rest/blah", shiro will allow it. But as a security concern, shiro shouldn't do that. By default nature should be "denial".
On Fri, 26 Feb 2016 at 16:20 Alex Ditu <[email protected]> wrote: > I meant put it last in shiro.ini, in [urls] section. But you have to match > all your other urls. If you have 3 pages, you could do something like this: > > [urls] > /page1 = anon > /page2 = authc > /page3 = authc > > #anything else > /** = forbbidenUrlFilter > > But you need to specify all the good urls before the last filter, which is > hard if you have too many pages. > > Why do you need this, isn't your server default behavior to return 404 if > the page isn't found? > > On Fri, Feb 26, 2016 at 12:42 PM, Mohit Srivastava < > [email protected]> wrote: > >> Alex, >> >> I already have a filter, but it doesn't working. The logic in preHandle >> of PathMatchingFilter is allow the url if it not matches. I override that >> logic. >> Also can you please explain what do you mean by "put it at last" ? >> >> public class ForbiddenUrlFilter extends PathMatchingFilter >> { >> >> private static final Logger log = >> LoggerFactory.getLogger(ForbiddenUrlFilter.class); >> @Override >> protected boolean preHandle(final ServletRequest request, final >> ServletResponse response) throws Exception { >> if (appliedPaths == null || appliedPaths.isEmpty()) { >> return true; >> } >> >> for (final String path : appliedPaths.keySet()) { >> if (pathsMatch(path, request)) { >> log.trace("Current requestURI matches pattern \'{}\'. >> Determining filter chain execution...", path); >> return true; >> } >> } >> WebUtils.toHttp(response).sendError(404); >> return false; >> } >> } >> >> On Fri, 26 Feb 2016 at 15:52 Alex Ditu <[email protected]> wrote: >> >>> Use a filter to redirect the request or tell the user that path doesen't >>> exists, and put it last and make it match everything, like this: >>> >>> [urls] >>> ... >>> /** = yourFilterForBadPath >>> >>> On Thu, Feb 25, 2016 at 11:26 PM, Mohit Srivastava < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> Shiro's default behaviour for path mismatch is nothing. I mean if a >>>> request url path doesn't match any thing defined in Filter chain, shiro >>>> used to pass it instead of failing. >>>> >>>> Is there a way I can simply reject those path which are not defined in >>>> filterchain? >>>> >>>> Thanks & Regards, >>>> Mohit >>>> >>> >>> >
