[CVE-2020-17510] Apache Shiro Authentication Bypass Vulnerability

[Brian Demers <bdemers () apache org>]

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially
crafted HTTP request may cause an authentication bypass.

If you are NOT using Shiro’s Spring Boot Starter
(`shiro-spring-boot-web-starter`), you must configure add the
ShiroRequestMappingConfig auto configuration[1] to your application or
configure the equivalent manually[2].

[0] https://www.apache.org/security/
[1] https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig
[2]
https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30