0

I have a servlet application running in tomcat with shiro authentication. My servlet URL looks like this

 http://builds/Query/User?which_option=ui_data&which_out=json

The "which_option" in the above URL can take various values. I want to authenticate only those URLs having "which_option=ui_data" in shiro. I tried the following using regex in URL filtering in my shiro.ini.

[urls]
/Query/User*ui_data* = authcBuilds

But that does not work. The Shiro URL configuration page mentions that the URL expression must of URL_Ant_Path_Expression. The ANT path expression seems to apply for matching only file names, and not part of URL string.

Is there any other way to do this (URL regex matching)? or else I have to shift my code to another servlet like

http://builds/Query/UI_Data

and use the following authentication in shiro.ini

[urls]
/Query/UI_Data* = authcBuilds
Community
  • 1
  • 1
r_k
  • 77
  • 1
  • 8

1 Answers1

1

Shiro's implementation of AntMacher org.apache.shiro.util.AntMatcher does match your URL as required.

import org.apache.shiro.util.AntPathMatcher;
import org.junit.Test;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

public class AntMatcherTest {

    @Test
    public void match() {
        final AntPathMatcher matcher = new AntPathMatcher();

        assertTrue(matcher.match("/Query/User*ui_data*", "/Query/User?which_option=ui_data"));
    }

    @Test
    public void noMatch() {
        final AntPathMatcher matcher = new AntPathMatcher();

        assertFalse(matcher.match("/Query/User*ui_data*", "/Query/User?which_option="));
    }
}

Shiro's implementation of javax.servlet.http.HttpServletRequest splits the URL into parts: Everything but the query string goes into the URL which is used in the match. Therefore it won't match query parameters.

Write your own FormAuthenticationFilter and you will have access to the ServletRequest to inspect the query parameters.

dom farr
  • 4,041
  • 4
  • 32
  • 38