Apache Shiro before 1.3.2, when using a non-root servlet context path, specifically crafted requests can be used to by pass some security servlet filters, resulting in unauthorized access.
Created shiro tracking bugs for this issue:
Affects: fedora-24 [bug 1375885]
shiro-1.3.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.