You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2020/08/17 16:57:53 UTC

[shiro-site] branch master updated: add note about global filters in web.html

This is an automated email from the ASF dual-hosted git repository.

bdemers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 93a7c7d  add note about global filters in web.html
93a7c7d is described below

commit 93a7c7d7f31651a34800d4f6fd3a1b63a38a772d
Author: Brian Demers <bd...@apache.org>
AuthorDate: Mon Aug 17 12:57:43 2020 -0400

    add note about global filters in web.html
---
 web.md.vtl | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/web.md.vtl b/web.md.vtl
index 6ae849a..a98a94a 100644
--- a/web.md.vtl
+++ b/web.md.vtl
@@ -33,6 +33,7 @@ Apache Shiro Web Support
     *   [General Enabling/Disabling](#Web-GeneralEnabling%2FDisabling)
     *   [Request-specific Enabling/Disabling](#Web-RequestspecificEnabling%2FDisabling)
     *   [Path-specific Enabling/Disabling](#Web-PathspecificEnabling%2FDisabling)
+    *   [Global Filters](#Web-globalFilters)
 
 *   [Session Management](#Web-SessionManagement)
 
@@ -395,6 +396,7 @@ The default Filter instances available automatically are defined by the [Default
 | authc | [org.apache.shiro.web.filter.authc.FormAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/FormAuthenticationFilter.html) |
 | authcBasic | [org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html) |
 | authcBearer | [org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/BearerHttpAuthenticationFilter.html) |
+| invalidRequest | [org.apache.shiro.web.filter.InvalidRequestFilter](static/current/apidocs/org/apache/shiro/web/filter/InvalidRequestFilter.html) |
 | logout | [org.apache.shiro.web.filter.authc.LogoutFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/LogoutFilter.html) |
 | noSessionCreation | [org.apache.shiro.web.filter.session.NoSessionCreationFilter](static/current/apidocs/org/apache/shiro/web/filter/session/NoSessionCreationFilter.html) |
 | perms | [org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter](static/current/apidocs/org/apache/shiro/web/filter/authz/PermissionsAuthorizationFilter.html) |
@@ -456,6 +458,43 @@ Shiro's [PathMatchingFilter](static/current/apidocs/org/apache/shiro/web/filter/
 
 If you need to be able to react to the matching path and the path-specific configuration to determine if a filter is enabled or disabled, instead of overriding `OncePerRequestFilter` `isEnabled(request,response)` method, you would override the `PathMatchingFilter` `isEnabled(request,response,path,pathConfig)` method instead.
 
+<a name="Web-globalFilters"></a>
+#[[###Global Filters]]#
+
+Starting with Shiro 1.6 the ability to define global filters has been added.  Adding "global filters" will add additional filters to ALL routes, this includes previously configured filter chains as well as unconfigured paths.
+
+By default, the global filters contains the `invalidRequest` filter.  This filter blocks known malicious attacks, see below for configuration details.
+
+Global filters can be customized or disabled, for example
+
+``` ini
+[main]
+...
+# disable Global Filters
+filterChainResolver.globalFilters = null
+```
+
+Define the list of global filters:
+
+``` ini
+[main]
+...
+filterChainResolver.globalFilters = invalidRequest, port
+```
+
+The `invalidRequest` filter blocks requests with non-ascii characters, semicolons, and backslashes, each of these can be disabled independently to allow for backward compatibility.
+
+```ini
+[main]
+...
+invalidRequest.blockBackslash = true
+invalidRequest.blockSemicolon = true
+invalidRequest.blockNonAscii = true
+...
+```
+
+#info('Note', 'If you currently allowing URL rewriting to allow for a <code>jsessionid</code> in the URL, you must set <code>blockSemicolon</code> to <code>false</code>.<BR/><BR/>URL rewriting for <code>jsessionid</code> is defined in section "7.1.3" of the Java Servlet Specification, but it is generally NOT recommended.')
+
 <a name="Web-sessionManagement"></a>
 <a name="Web-SessionManagement"></a>
 Session Management