This is an automated email from the ASF dual-hosted git repository.
lprimak pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/shiro-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new a2a660f97 update
a2a660f97 is described below
commit a2a660f97c9c554c5fa4a8373c158f0d7714068b
Author: lprimak <[email protected]>
AuthorDate: Tue Jan 13 16:21:38 2026 -0600
update
---
.well-known/security.txt | 2 +-
feed.xml | 2 +-
security-model.html | 2 +-
web.html | 25 +++++++++++++++++++++++++
4 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/.well-known/security.txt b/.well-known/security.txt
index fe241863e..0c2d7cf41 100644
--- a/.well-known/security.txt
+++ b/.well-known/security.txt
@@ -1,5 +1,5 @@
Contact: mailto:[email protected]
-Expires: 2027-01-13T22:06:37Z
+Expires: 2027-01-13T22:20:45Z
Preferred-Languages: en
Canonical: https://shiro.apache.org/.well-known/security.txt
Policy: https://shiro.apache.org/security-reports.html
\ No newline at end of file
diff --git a/feed.xml b/feed.xml
index 65daa021f..dfd5f30d9 100644
--- a/feed.xml
+++ b/feed.xml
@@ -4,7 +4,7 @@
<subtitle>Simple. Java. Security.</subtitle>
<link href="https://shiro.apache.org/"/>
<link rel="self" href="https://shiro.apache.org/feed.xml"; />
- <updated>2026-01-13T22:06:37Z</updated>
+ <updated>2026-01-13T22:20:45Z</updated>
<author>
<name>Les Hazlewood</name>
diff --git a/security-model.html b/security-model.html
index 6c751c2e0..07ad67339 100644
--- a/security-model.html
+++ b/security-model.html
@@ -501,7 +501,7 @@ Operators should implement these controls at the
application or infrastructure l
<div class="ulist">
<ul>
<li>
-<p>Shiro’s cryptographic utilities are wrappers around standard Java
cryptography (JCA/JCE).</p>
+<p>Shiro’s cryptographic utilities are wrappers around standard Java
cryptography (JCA/JCE) and <code>BouncyCastle</code> libraries.</p>
</li>
<li>
<p><strong>Algorithm Selection</strong>: Operators must choose appropriate
algorithms. Avoid deprecated algorithms (MD5, SHA-1 for security purposes).</p>
diff --git a/web.html b/web.html
index 0d4f9c8ae..3cae5dacb 100644
--- a/web.html
+++ b/web.html
@@ -249,6 +249,7 @@
<li><a href="#request_specific_enablingdisabling">Request-specific
Enabling/Disabling</a></li>
<li><a href="#path_specific_enablingdisabling">Path-specific
Enabling/Disabling</a></li>
<li><a href="#global_filters">Global Filters</a></li>
+<li><a href="#cors_support">CORS Support</a></li>
<li><a href="#http_strict_transport_security_hsts">HTTP Strict Transport
Security (HSTS)</a></li>
</ul>
</li>
@@ -991,6 +992,30 @@ invalidRequest.blockNonAscii = true
</div>
</div>
<div class="sect2">
+<h3 id="cors_support">CORS Support</h3>
+<div class="paragraph">
+<p>When using HTTP-based authentication (like Basic Auth or Bearer Token) in a
browser-based application, Cross-Origin Resource Sharing (CORS) pre-flight
<code>OPTIONS</code> requests are often sent by the browser. By default, these
requests might be rejected if they do not contain authentication headers.</p>
+</div>
+<div class="paragraph">
+<p>To allow pre-flight <code>OPTIONS</code> requests to pass through the
authentication filter without requiring credentials, you can configure the
<code>allowPreFlightRequests</code> property on any filter extending
<code>HttpAuthenticationFilter</code>.</p>
+</div>
+<div class="paragraph">
+<p>This is commonly used with <code>authcBasic</code> (Basic Auth) or
<code>authcBearer</code> (Bearer Token / JWT).</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlightjs highlight"><code class="language-ini hljs"
data-lang="ini">[main]
+...
+# Example 1: Configuring Basic Auth for CORS
+authcBasic.allowPreFlightRequests = true
+
+# Example 2: Configuring Bearer Auth (if used) for CORS
+authcBearer.allowPreFlightRequests = true
+...</code></pre>
+</div>
+</div>
+</div>
+<div class="sect2">
<h3 id="http_strict_transport_security_hsts">HTTP Strict Transport Security
(HSTS)</h3>
<div class="paragraph">
<p>The <a
href="static/current/apidocs/shiro-web/org/apache/shiro/web/filter/authz/SslFilter.html">SslFilter</a>
(and all of its subclasses) supports enabling/disabling HTTP Strict Transport
Security (HSTS).</p>
