This is an automated email from the ASF dual-hosted git repository.
lprimak pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro-site.git
The following commit(s) were added to refs/heads/main by this push:
new 2242ac15c add Cors Support documentation (#261)
2242ac15c is described below
commit 2242ac15c5624b7fa233e380eba88857c36bf768
Author: Fatih <[email protected]>
AuthorDate: Wed Jan 14 01:33:47 2026 +0300
add Cors Support documentation (#261)
Co-authored-by: celikfatiih <[email protected]>
---
src/site/content/web.adoc | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/site/content/web.adoc b/src/site/content/web.adoc
index 83677ecd3..ec4965b9c 100644
--- a/src/site/content/web.adoc
+++ b/src/site/content/web.adoc
@@ -468,6 +468,25 @@ If you're currently allowing URL rewriting to allow for a
<code>jsessionid</code
URL rewriting for `jsessionid` is defined in section "7.1.3" of the Java
Servlet Specification, but it is generally NOT recommended.
====
+=== CORS Support
+
+When using HTTP-based authentication (like Basic Auth or Bearer Token) in a
browser-based application, Cross-Origin Resource Sharing (CORS) pre-flight
`OPTIONS` requests are often sent by the browser. By default, these requests
might be rejected if they do not contain authentication headers.
+
+To allow pre-flight `OPTIONS` requests to pass through the authentication
filter without requiring credentials, you can configure the
`allowPreFlightRequests` property on any filter extending
`HttpAuthenticationFilter`.
+
+This is commonly used with `authcBasic` (Basic Auth) or `authcBearer` (Bearer
Token / JWT).
+
+[source,ini]
+----
+[main]
+...
+# Example 1: Configuring Basic Auth for CORS
+authcBasic.allowPreFlightRequests = true
+
+# Example 2: Configuring Bearer Auth (if used) for CORS
+authcBearer.allowPreFlightRequests = true
+...
+----
=== HTTP Strict Transport Security (HSTS)
