[PR] Add Security Model documentation (#243) [shiro-site]

[via GitHub]

GaneshPatil7517 opened a new pull request, #259:
URL: https://github.com/apache/shiro-site/pull/259

   ## Summary
   
   This PR adds a Security Model documentation page for Apache Shiro, 
addressing the ASF recommendation that projects document their security 
assumptions and guarantees.
   
   Closes #243
   
   ## Changes
   
   - Added `src/site/content/security-model.adoc` containing comprehensive 
security model documentation
   
   ## Documentation Content
   
   The security model document covers:
   
   - **Trust Boundaries** - Application-level trust assumptions and input trust 
expectations
   - **Authentication Guarantees** - What Shiro provides vs. operator 
responsibilities (credential storage, brute-force protection, username 
enumeration considerations)
   - **Authorization Guarantees** - Permission resolution, role checking, 
wildcard permissions
   - **Session Management** - Container-independent sessions, security 
considerations for session storage
   - **Cryptography** - Hashing and encryption capabilities, algorithm 
selection guidance
   - **Web Security** - Filter chains, path matching, path traversal 
considerations
   - **Logging** - What gets logged and log security recommendations
   - **Deployment Recommendations** - Minimum security baseline and 
defense-in-depth guidance
   - **Vulnerability Reporting** - Links to security reporting process
   
   ## References
   
   - ASF Security Model Guidelines: 
https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model
   - Similar examples: [Apache 
Commons](https://commons.apache.org/security.html#Security_Model), [Apache 
Airflow](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html)
   
   ## Verification Checklist
   
   -  Follows existing Shiro site documentation style (AsciiDoc format)
   - Uses standard JBake metadata headers
   -  Links to existing Shiro documentation pages (architecture, 
authentication, authorization, etc.)
   -  Includes security reporting contact information
   -  Covers key security considerations from ASF guidelines (trust boundaries, 
operator responsibilities, input handling)
   -  No sensitive information disclosed
   -  Professional, clear technical writing
   
   ## Testing
   
   To preview locally:
   ```bash
   mvn clean generate-resources -Pgenerate-site


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@shiro.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org