[Doc] Clarify that disabling principal parameter also disables JSR-250 annotations

[Allen-wick]

Search before asking

• I had searched in the issues, including closed issues and found no similar issues.

Documentation Related

Currently, the documentation for the shiro-jaxrs module does not clearly state the cascading effects of the org.apache.shiro.web.disable-principal configuration parameter.

Specifically, if an operator sets this parameter to disable the principal, it inherently disables the processing of JSR-250 annotations (such as @RolesAllowed, @DenyAll), because these annotations require a valid principal to evaluate against.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

[lprimak]

There is no cascading effect after all. JSR-250 annotations are handled by the Jakarta Rest / Jakarta Security unless principal propagation is disabled.
Only if the above is disabled, Shiro itself handles JSR-250 annotations