This is an automated email from the ASF dual-hosted git repository.
lprimak pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/shiro-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 4306f3fb9 update
4306f3fb9 is described below
commit 4306f3fb9eb4a65cda2481677588f7ca6771189b
Author: lprimak <[email protected]>
AuthorDate: Tue Jan 13 16:07:11 2026 -0600
update
---
.well-known/security.txt | 2 +-
feed.xml | 2 +-
jakarta-ee.html | 2 +-
security-model.html | 8 +++++---
4 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/.well-known/security.txt b/.well-known/security.txt
index d863873f4..fe241863e 100644
--- a/.well-known/security.txt
+++ b/.well-known/security.txt
@@ -1,5 +1,5 @@
Contact: mailto:[email protected]
-Expires: 2027-01-13T21:57:26Z
+Expires: 2027-01-13T22:06:37Z
Preferred-Languages: en
Canonical: https://shiro.apache.org/.well-known/security.txt
Policy: https://shiro.apache.org/security-reports.html
\ No newline at end of file
diff --git a/feed.xml b/feed.xml
index 4da869cc4..65daa021f 100644
--- a/feed.xml
+++ b/feed.xml
@@ -4,7 +4,7 @@
<subtitle>Simple. Java. Security.</subtitle>
<link href="https://shiro.apache.org/"/>
<link rel="self" href="https://shiro.apache.org/feed.xml"; />
- <updated>2026-01-13T21:57:26Z</updated>
+ <updated>2026-01-13T22:06:37Z</updated>
<author>
<name>Les Hazlewood</name>
diff --git a/jakarta-ee.html b/jakarta-ee.html
index 651a9cd12..12aeb8336 100644
--- a/jakarta-ee.html
+++ b/jakarta-ee.html
@@ -568,7 +568,7 @@ Any Shiro principal object can be injected if annotated by
<code>@Principal</cod
</div>
</div>
<div class="sect3">
-<h4 id="automatic_delay_when_login_failed">Automatic delay when login
failed</h4>
+<h4 id="rate_limiting">Rate limiting: Automatic delay when login failed</h4>
<div class="paragraph">
<p>When user fails to log in, Shiro will automatically delay the failure
response for a number of seconds. This can be one of the strategies to prevent
brute force attacks.</p>
</div>
diff --git a/security-model.html b/security-model.html
index aba5b60d7..6c751c2e0 100644
--- a/security-model.html
+++ b/security-model.html
@@ -366,10 +366,12 @@
<div class="ulist">
<ul>
<li>
-<p><strong>Credential Storage</strong>: Operators must ensure credentials are
stored securely (hashed with appropriate algorithms like bcrypt, Argon2, or
PBKDF2).</p>
+<p><strong>Credential Storage</strong>: Operators must ensure credentials are
stored securely (hashed with appropriate algorithms like bcrypt or Argon2).</p>
</li>
<li>
-<p><strong>Brute-Force Protection</strong>: Shiro does not include built-in
rate limiting or account lockout. Operators should implement these controls at
the application or infrastructure level.</p>
+<p><strong>Brute-Force Protection</strong>: Shiro only includes built-in basic
rate limiting for
+<a href="jakarta-ee.html#rate_limiting">Jakarta EE only</a>, but does not
include account lockout.
+Operators should implement these controls at the application or infrastructure
level.</p>
</li>
<li>
<p><strong>Multi-Factor Authentication</strong>: MFA is not built into core
Shiro; operators requiring MFA must implement custom <code>Realm</code> or
<code>AuthenticationStrategy</code> extensions.</p>
@@ -621,7 +623,7 @@
<p>Configure TLS for all credential transmission.</p>
</li>
<li>
-<p>Use strong password hashing (bcrypt, Argon2, or PBKDF2 with appropriate
work factors).</p>
+<p>Use strong password hashing (bcrypt or Argon2 with appropriate work
factors).</p>
</li>
<li>
<p>Implement session fixation prevention.</p>
