Apache Shiro prior to 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
apache shiro