Hey, I'm seeing some strangeness with Shiro involving double slashes related to session tracking and redirection. I'm using Apache Tomcat 9.0.43 and Shiro 1.8.0. This problem does not appear to occur with Chrome, since it silently changes multiple slashes after the host name into a single slash before sending the request. The problem does happen with Firefox, IE, and Edge, though.
- When I go to the URL https://webserver/app, it redirects to https://webserver/app/, which pulls up https://webserver/app/index.jsp, which then redirects to https://webserver/app/DefaultServlet, which works fine - When I go to the URL https://webserver/app/, it pulls up https://webserver/app/index.jsp, which then redirects to https://webserver/app/DefaultServlet, which works fine - When I go to the URL https://webserver/app/DefaultServlet, this works fine - When I go to the URL https://webserver/app//DefaultServlet, this works fine - When I go to the URL https://webserver//app, it redirects to https://webserver/app/, which pulls up https://webserver/app/index.jsp, which then redirects to https://webserver/app/DefaultServlet, which works fine However, problems happen when I have two slashes immediately after the host name, followed by a path with more slashes: - When I go to the URL https://webserver//app/, it appears to kill the Shiro login session and redirects to my login page. After I log in, it tries to send me to the URL I originally requested, but instead sends me to https://app/ - When I go to the URL https://webserver//app/DefaultServlet, it appears to kill the Shiro login session and redirects to my login page. After I log in, it tries to send me to the URL I originally requested, but instead redirects me to https://app/DefaultServlet Shiro seems to be running into some sort of confusion when it hits that double-slash. When the problem occurs, the session gets destroyed for some reason, and the code within Shiro that redirects to the original URL seems to lose the hostname portion of the URL. Has anyone encountered this sort of problem? I'm just trying to determine whether this is a bug with Shiro or some sort of configuration/code issue. Thanks, -Bill
