You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Shilpi Das (JIRA)" <ji...@apache.org> on 2018/02/14 06:37:00 UTC
[jira] [Updated] (SHIRO-621) REST filter bypassing matched path
[ https://issues.apache.org/jira/browse/SHIRO-621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shilpi Das updated SHIRO-621:
-----------------------------
Affects Version/s: 1.4.0
Description:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0.
I have also tried using Shiro 1.4.0 with Guice 4.0.
was:
The following filter chains are present in configureShiroWeb() function
addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.
I am using Shiro 1.4.0-RC2 version and Guice 3.0
> REST filter bypassing matched path
> ----------------------------------
>
> Key: SHIRO-621
> URL: https://issues.apache.org/jira/browse/SHIRO-621
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
> Affects Versions: 1.4.0-RC2, 1.4.0
> Environment: Google App Engine
> Reporter: Shilpi Das
> Assignee: Jared Bunting
> Priority: Major
>
> The following filter chains are present in configureShiroWeb() function
> addFilterChain("/**/first/second/third/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "X"));
> addFilterChain("/**/first/**", filterConfig(AUTHC_BASIC), filterConfig(REST, "Y"));
> When a request is made for an API- example.appspot.com/v1/first/second/third, the first filter is bypassed and the access is granted for a user with permission Y and not with X.
> I am using Shiro 1.4.0-RC2 version and Guice 3.0.
> I have also tried using Shiro 1.4.0 with Guice 4.0.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)