Author: bdemers
Date: Mon Aug 17 16:58:12 2020
New Revision: 1880940
URL: http://svn.apache.org/viewvc?rev=1880940&view=rev
Log:
update shiro site based on master
Modified:
shiro/site/publish/web.html
Modified: shiro/site/publish/web.html
URL:
http://svn.apache.org/viewvc/shiro/site/publish/web.html?rev=1880940&r1=1880939&r2=1880940&view=diff
==============================================================================
--- shiro/site/publish/web.html (original)
+++ shiro/site/publish/web.html Mon Aug 17 16:58:12 2020
@@ -307,6 +307,7 @@
<li><a href="#Web-GeneralEnabling%2FDisabling">General
Enabling/Disabling</a></li>
<li><a href="#Web-RequestspecificEnabling%2FDisabling">Request-specific
Enabling/Disabling</a></li>
<li><a href="#Web-PathspecificEnabling%2FDisabling">Path-specific
Enabling/Disabling</a></li>
+ <li><a href="#Web-globalFilters">Global Filters</a></li>
</ul>
</li>
<li>
@@ -651,6 +652,10 @@ authc.loginUrl = /login.jsp
<td><a
href="static/current/apidocs/org/apache/shiro/web/filter/authc/BearerHttpAuthenticationFilter.html">org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter</a>
</td>
</tr>
<tr>
+ <td>invalidRequest </td>
+ <td><a
href="static/current/apidocs/org/apache/shiro/web/filter/InvalidRequestFilter.html">org.apache.shiro.web.filter.InvalidRequestFilter</a>
</td>
+ </tr>
+ <tr>
<td>logout </td>
<td><a
href="static/current/apidocs/org/apache/shiro/web/filter/authc/LogoutFilter.html">org.apache.shiro.web.filter.authc.LogoutFilter</a>
</td>
</tr>
@@ -716,6 +721,34 @@ ssl.enabled = false
<h3>Path-specific Enabling/Disabling</h3>
<p>Shiro’s <a
href="static/current/apidocs/org/apache/shiro/web/filter/PathMatchingFilter.html">PathMatchingFilter</a>
(a subclass of <code>OncePerRequestFilter</code> has the ability to react to
configuration based on a <em>specific path</em> being filtered. This means you
can enable or disable a filter based on the path and the path-specific
configuration in addition to the incoming request and response.</p>
<p>If you need to be able to react to the matching path and the path-specific
configuration to determine if a filter is enabled or disabled, instead of
overriding <code>OncePerRequestFilter</code>
<code>isEnabled(request,response)</code> method, you would override the
<code>PathMatchingFilter</code>
<code>isEnabled(request,response,path,pathConfig)</code> method instead.</p>
+<a name="Web-globalFilters"></a>
+<h3><a href="#global-filters" name="global-filters">Global Filters</a></h3>
+<p>Starting with Shiro 1.6 the ability to define global filters has been
added. Adding “global filters” will add additional filters to ALL
routes, this includes previously configured filter chains as well as
unconfigured paths.</p>
+<p>By default, the global filters contains the <code>invalidRequest</code>
filter. This filter blocks known malicious attacks, see below for configuration
details.</p>
+<p>Global filters can be customized or disabled, for example</p>
+<pre><code class="ini">[main]
+...
+# disable Global Filters
+filterChainResolver.globalFilters = null
+</code></pre>
+<p>Define the list of global filters:</p>
+<pre><code class="ini">[main]
+...
+filterChainResolver.globalFilters = invalidRequest, port
+</code></pre>
+<p>The <code>invalidRequest</code> filter blocks requests with non-ascii
characters, semicolons, and backslashes, each of these can be disabled
independently to allow for backward compatibility.</p>
+<pre><code class="ini">[main]
+...
+invalidRequest.blockBackslash = true
+invalidRequest.blockSemicolon = true
+invalidRequest.blockNonAscii = true
+...
+</code></pre>
+<div class="alert alert-info">
+ <span class="glyphicon glyphicon-info-sign"></span> <strong>Note</strong>
+ <hr class="message-inner-separator">
+ <p>If you currently allowing URL rewriting to allow for a
<code>jsessionid</code> in the URL, you must set <code>blockSemicolon</code> to
<code>false</code>.<BR/><BR/>URL rewriting for <code>jsessionid</code> is
defined in section "7.1.3" of the Java Servlet Specification, but it is
generally NOT recommended.</p>
+</div>
<a name="Web-sessionManagement"></a>
<a name="Web-SessionManagement"></a>
<h2><a href="#session-management" name="session-management">Session
Management</a></h2>
