You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Jon Steege (JIRA)" <ji...@apache.org> on 2014/04/22 19:34:19 UTC

[jira] [Updated] (SHIRO-497) setFilterChainDefinitionMap accepts Map interface objects, whose implementations are mostly unordered

     [ https://issues.apache.org/jira/browse/SHIRO-497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Steege updated SHIRO-497:
-----------------------------

    Description: 
org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method,  setFilterChainDefinitionMap which accepts Map interface objects. Most Map interface objects have no guaranteed order,  but the filter chain definitions rely heavily on specific ordering for the application of rules. 

For example, 

{code}
    Map<String, String> filterChainDefs = new HashMap<String, String>();
    filterChainDefs.put("/s/test", "authc");
    filterChainDefs.put("/s/**", "anon");
    shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);
{code}

In this example, this structure is acceptable to the setter on shiroFilterFactoryBean, but will non-deterministically allow or deny access to /s/test between server restarts. 

  was:
org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method,  setFilterChainDefinitionMap which accepts Map interface objects. Most Map interface objects have no guaranteed order,  but the filter chain definitions rely heavily on specific ordering for the application of rules. 

For example, 

{code}
    Map<String, String> filterChainDefs = new LinkedHashMap<String, String>();
    filterChainDefs.put("/s/test", "authc");
    filterChainDefs.put("/s/**", "anon");
    shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);
{code}

In this example, this structure is acceptable to the setter on shiroFilterFactoryBean, but will non-deterministically allow or deny access to /s/test between server restarts. 


> setFilterChainDefinitionMap accepts Map interface objects, whose implementations are mostly unordered
> -----------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-497
>                 URL: https://issues.apache.org/jira/browse/SHIRO-497
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Configuration
>            Reporter: Jon Steege
>            Priority: Minor
>
> org.apache.shiro.spring.web.ShiroFilterFactoryBean has a method,  setFilterChainDefinitionMap which accepts Map interface objects. Most Map interface objects have no guaranteed order,  but the filter chain definitions rely heavily on specific ordering for the application of rules. 
> For example, 
> {code}
>     Map<String, String> filterChainDefs = new HashMap<String, String>();
>     filterChainDefs.put("/s/test", "authc");
>     filterChainDefs.put("/s/**", "anon");
>     shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefs);
> {code}
> In this example, this structure is acceptable to the setter on shiroFilterFactoryBean, but will non-deterministically allow or deny access to /s/test between server restarts. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)