commit 93a7c7d7f31651a34800d4f6fd3a1b63a38a772d
author Brian Demers <bdemers@apache.org> Mon Aug 17 12:57:43 2020 -0400
committer Brian Demers <bdemers@apache.org> Mon Aug 17 12:57:43 2020 -0400
tree b90575046845f7143ac8ff98a17dc721ca0a81c2
parent de9903237fd5a8f02f29fe57727af908a2d7a864

add note about global filters in web.html

web.md.vtl

diff --git a/web.md.vtl b/web.md.vtl
index 6ae849a..a98a94a 100644
--- a/web.md.vtl
+++ b/web.md.vtl
@@ -33,6 +33,7 @@
     *   [General Enabling/Disabling](#Web-GeneralEnabling%2FDisabling)
     *   [Request-specific Enabling/Disabling](#Web-RequestspecificEnabling%2FDisabling)
     *   [Path-specific Enabling/Disabling](#Web-PathspecificEnabling%2FDisabling)
+    *   [Global Filters](#Web-globalFilters)
 
 *   [Session Management](#Web-SessionManagement)
 
@@ -395,6 +396,7 @@
 | authc | [org.apache.shiro.web.filter.authc.FormAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/FormAuthenticationFilter.html) |
 | authcBasic | [org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html) |
 | authcBearer | [org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/BearerHttpAuthenticationFilter.html) |
+| invalidRequest | [org.apache.shiro.web.filter.InvalidRequestFilter](static/current/apidocs/org/apache/shiro/web/filter/InvalidRequestFilter.html) |
 | logout | [org.apache.shiro.web.filter.authc.LogoutFilter](static/current/apidocs/org/apache/shiro/web/filter/authc/LogoutFilter.html) |
 | noSessionCreation | [org.apache.shiro.web.filter.session.NoSessionCreationFilter](static/current/apidocs/org/apache/shiro/web/filter/session/NoSessionCreationFilter.html) |
 | perms | [org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter](static/current/apidocs/org/apache/shiro/web/filter/authz/PermissionsAuthorizationFilter.html) |
@@ -456,6 +458,43 @@
 
 If you need to be able to react to the matching path and the path-specific configuration to determine if a filter is enabled or disabled, instead of overriding `OncePerRequestFilter` `isEnabled(request,response)` method, you would override the `PathMatchingFilter` `isEnabled(request,response,path,pathConfig)` method instead.
 
+<a name="Web-globalFilters"></a>
+#[[###Global Filters]]#
+
+Starting with Shiro 1.6 the ability to define global filters has been added.  Adding "global filters" will add additional filters to ALL routes, this includes previously configured filter chains as well as unconfigured paths.
+
+By default, the global filters contains the `invalidRequest` filter.  This filter blocks known malicious attacks, see below for configuration details.
+
+Global filters can be customized or disabled, for example
+
+``` ini
+[main]
+...
+# disable Global Filters
+filterChainResolver.globalFilters = null
+```
+
+Define the list of global filters:
+
+``` ini
+[main]
+...
+filterChainResolver.globalFilters = invalidRequest, port
+```
+
+The `invalidRequest` filter blocks requests with non-ascii characters, semicolons, and backslashes, each of these can be disabled independently to allow for backward compatibility.
+
+```ini
+[main]
+...
+invalidRequest.blockBackslash = true
+invalidRequest.blockSemicolon = true
+invalidRequest.blockNonAscii = true
+...
+```
+
+#info('Note', 'If you currently allowing URL rewriting to allow for a <code>jsessionid</code> in the URL, you must set <code>blockSemicolon</code> to <code>false</code>.<BR/><BR/>URL rewriting for <code>jsessionid</code> is defined in section "7.1.3" of the Java Servlet Specification, but it is generally NOT recommended.')
+
 <a name="Web-sessionManagement"></a>
 <a name="Web-SessionManagement"></a>
 Session Management