apache · lprimak · Jan 21, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/src/site/content/spring-boot.adoc b/src/site/content/spring-boot.adoc
@@ -160,6 +160,10 @@ protected CacheManager cacheManager() {
 |shiro.successUrl |`/` |Default landing page after a user logs in (if alternative cannot be found in the current session)
 
 |shiro.unauthorizedUrl |null |Page to redirect user to if they are unauthorized (403 page)
+
+|shiro.caseInsensitive |`false` (2.x), `true` (3.x) |Enable case-insensitive path matching. Can be set to true in 2.x. Defaults to true in 3.x.
+
+|shiro.allowAccessByDefault |`true` (2.x), `false` (3.x) |Allow access when no filter chain matches. Defaults to true in 2.x and false in 3.x.
 |===
 
 == Standalone Applications

diff --git a/src/site/content/web.adoc b/src/site/content/web.adoc
@@ -469,6 +469,32 @@ If you're currently allowing URL rewriting to allow for a <code>jsessionid</code
 URL rewriting for `jsessionid` is defined in section "7.1.3" of the Java Servlet Specification, but it is generally NOT recommended.
 ====
 
+=== Configuring default behavior of the access control mechanism
+[NOTE]
+====
+This feature is only available in Shiro 2.1 or later, and in Shiro 3.0.0 or later, this option will become the default (no additional configuration will be required)
+====
+
+The filter chain resolver supports additional configuration options, including:
+
+- case-insensitive path matching
+- whether to allow access when no filter matches the request path
+
+[source,ini]
+----
+[main]
+# Enable case-insensitive path matching.
+# Can be set to true for Shiro 2.x.
+# Defaults to true in Shiro 3.x.
+filterChainResolver.caseInsensitive = true
+
+# Allow access when no filter chain matches the request path.
+# Can be set to true to allow access when no filter chain matches.
+# Can be set to false for Shiro 2.x.
+# Defaults to false in Shiro 3.x.
+filterChainResolver.allowAccessByDefault = false
+----
+
 === CORS Support
 
 When using HTTP-based authentication (like Basic Auth or Bearer Token) in a browser-based application, Cross-Origin Resource Sharing (CORS) pre-flight `OPTIONS` requests are often sent by the browser. By default, these requests might be rejected if they do not contain authentication headers.
@@ -478,7 +504,7 @@ To allow pre-flight `OPTIONS` requests to pass through the authentication filter
 This is commonly used with `authcBasic` (Basic Auth) or `authcBearer` (Bearer Token / JWT).
 [NOTE]
 ====
-this feature is only available in Shiro 2.0.7 or later, and in Shiro 3.0.0 or later, this option will become the default (no additional configuration will be required)
+this feature is only available in Shiro 2.1 or later, and in Shiro 3.0.0 or later, this option will become the default (no additional configuration will be required)
 ====
 
 [source,ini]