Doc update for ForwardedHeaderFilter

Closes gh-23954

src/docs/asciidoc/web/webmvc.adoc

@@ -1280,14 +1280,17 @@ that proxies can use to provide information about the original request. There ar
 non-standard headers, too, including `X-Forwarded-Host`, `X-Forwarded-Port`,
 `X-Forwarded-Proto`, `X-Forwarded-Ssl`, and `X-Forwarded-Prefix`.
 
-`ForwardedHeaderFilter` is a Servlet filter that modifies the host, port, and scheme of
-the request, based on `Forwarded` headers, and then removes those headers.
+`ForwardedHeaderFilter` is a Servlet filter that modifies the request in order to
+a) change the host, port, and scheme based on `Forwarded` headers, and b) to remove those
+headers to eliminate further impact. The filter relies on wrapping the request, and
+therefore it must be ordered ahead of other filters, such as `RequestContextFilter`, that
+should work with the modified and not the original request.
 
 There are security considerations for forwarded headers since an application cannot know
 if the headers were added by a proxy, as intended, or by a malicious client. This is why
-a proxy at the boundary of trust should be configured to remove untrusted `Forwarded` headers that come
-from the outside. You can also configure the `ForwardedHeaderFilter` with
-`removeOnly=true`, in which case it removes but does not use the headers.
+a proxy at the boundary of trust should be configured to remove untrusted `Forwarded`
+headers that come from the outside. You can also configure the `ForwardedHeaderFilter`
+with `removeOnly=true`, in which case it removes but does not use the headers.