Apache Shiro before 1.3.2, when using a non-root servlet context path, specifically crafted requests can be used to by pass some security servlet filters, resulting in unauthorized access. References: http://seclists.org/oss-sec/2016/q3/488
Created shiro tracking bugs for this issue: Affects: fedora-24 [bug 1375885]
shiro-1.3.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.