Yup, this is expected if you are using the `shiro-servlet-plugin`, This module contains a web.xml fragment that is loaded automatically from your classpath. If you need more control you can use the `shiro-web` module directly and configure your web.xml (or equivalent) configuration.
The `shiro-servlet-plugin` jar file just contains this file: https://github.com/apache/shiro/blob/master/support/servlet-plugin/src/main/resources/META-INF/web-fragment.xml Does that help? On Tue, Sep 15, 2020 at 12:03 AM mbaron <[email protected]> wrote: > I have nothing in web.xml, but shiro still bootstraps itself and protects > resources defined in shiro.ini. Is this expected behavior? > > If I add elements to web.xml along the lines of what is described here > https://shiro.apache.org/web.html, I see no difference in how my web > application is secured. > > This holds true on tomcat 9.0.30 and Google Cloud Platform App Engine. > > > > -- > Sent from: http://shiro-user.582556.n2.nabble.com/ >
