All Versions
Latest Version
Avg Release Cycle
79 days
Latest Release

Changelog History
Page 3

  • v1.3.1 Changes

    August 19, 2016

    ๐Ÿ› Bug

    [SHIRO-577] - Regression - Unable to set custom SessionValidationScheduler
    [SHIRO-581] - Improve log message when remember me cipher has changed
  • v1.3.1-release

    August 19, 2016
  • v1.3.0 Changes

    ๐Ÿ› Bug

    [SHIRO-373] - Complete CAS remember-me support
    [SHIRO-397] - SingleArgumentMethodEventListenerTest fails
    [SHIRO-421] - Unable to set long timeouts on HttpServletSession
    [SHIRO-435] - SecurityManager is not a singleton in ShiroWebModule
    [SHIRO-473] - DefaultAnnotationResolver.getAnnotation throws NullPointerException
    [SHIRO-480] - setTarget method in DomainPermission does not set targets
    [SHIRO-483] - passwordsMatch() returns false with right plain password-encrypted password in JVM with default locale tr_TR
    [SHIRO-502] - OSGi import of in shiro-guice has incorrect version range
    [SHIRO-513] - Misleading error message when using custom WebEnvironment
    [SHIRO-515] - ExecutorServiceSessionValidationScheduler leaks resources due to improper synchronization
    [SHIRO-547] - Use MessageDigest#isEqual() instead of Arrays#equals() for comparing digests
    [SHIRO-568] - hash iterations is calculated wrongly in SimpleHash
    [SHIRO-570] - SimpleCookie should check the path of the cookie

    ๐Ÿ†• New Feature

    [SHIRO-200] - Add ability to configure basic authentication for specific HTTP methods
    [SHIRO-395] - Add an Event Bus for event publishing and low-coupling for custom components/plugins.
    [SHIRO-412] - Hazelcast-based caching and session clustering
    [SHIRO-436] - Add EnvironmentLoader finalizeEnvironment method

    ๐Ÿ‘Œ Improvement

    [SHIRO-278] - Rename JndiLdapRealm to DefaultLdapRealm
    [SHIRO-300] - WildcardPermission: change visibility of field 'parts' to protected
    [SHIRO-361] - HttpServletResponse.encodeURL: only append JSESSIONID when necessary
    [SHIRO-428] - AuthorizingRealm "no cache" logging should be at DEBUG level, not INFO, OR is should log only once
    [SHIRO-437] - WildcardPermission: conformed toString
    [SHIRO-514] - ExecutorServiceSessionValidationScheduler should create threads with a configurable name
    [SHIRO-564] - WildcardPermission case-insensitive makes parts collections twice
    [SHIRO-566] - CollectionUtils should use Collections wrappers of arrays if possible


    [SHIRO-208] - Correct JDK 1.5 / 1.6 incompatibilities
    [SHIRO-320] - Add an example for using Guice integration.
    [SHIRO-571] - Mark shiro-cas deprecated (replaced with buji-pac4j)
  • v1.2.6 Changes

    ๐Ÿ› Bug

    [SHIRO-545] - JavaEnvironment version getter
    [SHIRO-567] - shiro-root-1.2.5.pom uses invalid encoding, fails to parse with Gradle 2.14
  • v1.2.5 Changes

    ๐Ÿ› Bug

    [SHIRO-443] - SessionValidationScheduler created multiple times, enabling it is not thread safe
    [SHIRO-462] - Authentication exceptions are swallowed
    [SHIRO-467] - Authentication exception gets swallowed
    [SHIRO-550] - Randomize default remember me cipher

    ๐Ÿ‘Œ Improvement

    [SHIRO-504] - Java 8 support
    [SHIRO-516] - Explicitly specify the version of aspectjtools to avoid build warning
    [SHIRO-562] - WildcardPermission calls String.trim() twice in setParts()
  • v1.2.4 Changes

    ๐Ÿ› Bug

    [SHIRO-517] - Caused by: java.lang.NoClassDefFoundError: Lcom/google/inject/internal/util/$ImmutableList;
    [SHIRO-518] - Shiro-CAS: Security Problem in cas-client-core versions older than 3.3.2
    [SHIRO-556] - appears to link to the javadoc under static/current/apidocs not static/latest

    ๐Ÿ‘Œ Improvement

    [SHIRO-332] - Change access level of method 'isPermitted' in org.apache.shiro.realm.AuthorizingRealm (line 461) from private to protected
    [SHIRO-496] - Update shiro.guice dependency
    [SHIRO-498] - ThreadLocal should not be created when not necessary
  • v1.2.2 Changes

    ๐Ÿ› Bug:

    [SHIRO-316] - Annotations in samples-aspectj Project Does not Work
    [SHIRO-351] - Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter)
    [SHIRO-379] - SimpleAccountRealm concurrency access to roles and users
    [SHIRO-380] - runAs feature (still) doesn't work
    [SHIRO-387] - EnvironmentLoader destroys wrong environment
    [SHIRO-388] - Stackoverflow org.apache.shiro.session.SessionListener.onStop()
    [SHIRO-389] - Fix OSGI Exports for shiro-ehcache
    [SHIRO-390] - OSGi Import for JSP (javax.servlet.jsp) should be declared optional
    [SHIRO-394] - PropertiesRealm reloading not working when loading from file
    [SHIRO-399] - Memory leak for invalid sessions
    [SHIRO-403] - Trunk will not build under JDK 1.7 due to webstart plugin
    [SHIRO-413] - init() method is not called on class that implements org.apache.shiro.util.Initializable
    [SHIRO-415] - isLoginAttempt method in BasicHttpAuthenticationFilter class fails if used in any locale other than English
    [SHIRO-418] - Javadoc typo in JdbcRealm.SaltStyle
    [SHIRO-423] - INI ReflectionBuilder should not wrap reference values
    [SHIRO-429] - perms filter parsing is too sensitive to a trailing space
    [SHIRO-431] - please use git ignore
    [SHIRO-447] - Broken Javadoc links
  • v1.2.1 Changes

    ๐Ÿ› Bug:

    [SHIRO-341] - ReflectionBuilder has invalid log message format
    [SHIRO-342] - Running the example as described at fails
    [SHIRO-344] - runAs feature doesn't work
    [SHIRO-350] - Creating a subject should not create a session
    [SHIRO-353] - DefaultSecurityManager has invalid SLF4J log instruction
    [SHIRO-354] - Authentication cache
    [SHIRO-358] - Source Tarball doesn't Build
    [SHIRO-363] - PasswordMatcher should support character arrays
    [SHIRO-368] - DomainPermission(string, string) constructor sets targets to the same value as actions
    [SHIRO-375] - Basic authentication issue when using COLON character
    [SHIRO-376] - shiro-cas feature should not depend on shiro-cas
    [SHIRO-377] - PropertiesRealm unable to reload Properties
  • v1.2.0 Changes

    Backwards Incompatible Changes

    • ๐Ÿšš The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed: bindPrincipalsToSession(principals, context)

    This logic has been moved into a SubjectDAO concept to allow end-users to control exactly how the Session may be used for subject state persistence. This allows a single point of control rather than needing to configure Shiro in multiple places.

    If you overrode this method in Shiro 1.0 or 1.1, please look at the new org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic. Documentation for this is covered here:

    • ๐ŸŒ The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation (enabled by default for all web applications) no longer subclasses org.apache.shiro.session.mgt.AbstractSessionManager. AbstractSessionManager existed originally to consolidate a 'globalSessionTimeout' configuration property for subclasses. However, the ServletContainerSessionManager has been changed to always reflect the session configuration from web.xml (per its namesake). Because web.xml is the definitive source for session timeout configuration, the 'extends' clause was removed to avoid configuration confusion: if someone attempted to configure 'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never be honored. It was better to remove the extends clause to ensure that any such configuration would fail fast when Shiro starts up to reflect the invalid config.

    Potential Breaking Changes

    • ๐ŸŒ The org.apache.shiro.web.filter.mgt.FilterChainManager class's addFilter(String name, Filter filter) semantics have changed. It now no longer attempts to initialize a filter by default before adding the filter to the chain. If you ever called this method, you can call the addFilter(name, filter, true) method to achieve the <= 1.1 behavior.

    • 0๏ธโƒฃ The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating 128 random bytes each time the nextBytes() method was called. This is too large for most purposes, so the default has been changed to 16 bytes (which equals 128 bits - what was originally intended). If for some reason you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the 'defaultNextByteSize' property to match your desired size (in bytes, NOT bits).

    • Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes:

    1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC. CBC is more commonly used for block ciphers today (e.g. SSL). If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config to ensure you can still decrypt previously encrypted data. For example, in code:

     or, in shiro.ini:
     blockCipherService.modeName = CFB
     blockCipherService.streamingModeName = CFB

    2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used. If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the previous padding scheme default to ensure you can still decrypt previously encrypted data. For example, in code:

     or, in shiro.ini:
     blockCipherService.streamingPaddingSchemeName = NoPadding
     Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is
     the correct Enum value.
  • v1.1.0 Changes

    Backwards Incompatible Changes

    • ๐ŸŒ The org.apache.shiro.web.util.RedirectView class's appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme) method has been changed to accept a StringBuilder argument instead of a StringBuffer per SHIRO-191. RedirectView is considered an internal implementation support class and Shiro end-users should not be affected by this.