apache · bmarwell · Nov 2, 2022 · Aug 16, 2022 · Oct 31, 2022
diff --git a/pom.xml b/pom.xml
@@ -415,6 +415,7 @@
                             <onlyModified>true</onlyModified>
                             <breakBuildOnBinaryIncompatibleModifications>true</breakBuildOnBinaryIncompatibleModifications>
                             <breakBuildBasedOnSemanticVersioning>true</breakBuildBasedOnSemanticVersioning>
+                            <postAnalysisScript>${root.dir}/src/japicmp/postAnalysisScript.groovy</postAnalysisScript>
                         </parameter>
                     </configuration>
                 </plugin>

diff --git a/samples/servlet-plugin/pom.xml b/samples/servlet-plugin/pom.xml
@@ -106,13 +106,8 @@
             <scope>runtime</scope>
         </dependency>
         <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-slf4j-impl</artifactId>
-            <scope>runtime</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.logging.log4j</groupId>
-            <artifactId>log4j-core</artifactId>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
             <scope>runtime</scope>
         </dependency>
         <dependency>

diff --git a/src/japicmp/postAnalysisScript.groovy b/src/japicmp/postAnalysisScript.groovy
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import static japicmp.model.JApiCompatibilityChange.*
+import static japicmp.model.JApiChangeStatus.*
+
+def it = jApiClasses.iterator()
+while (it.hasNext()) {
+    def jApiClass = it.next()
+    // filter out interfaces changes that are default methods
+    if (jApiClass.getChangeStatus() != UNCHANGED) {
+        def methodIt = jApiClass.getMethods().iterator()
+        while (methodIt.hasNext()) {
+            def method = methodIt.next()
+            def methodChanges = method.getCompatibilityChanges()
+            methodChanges.remove(METHOD_NEW_DEFAULT)
+        }
+    }
+}
+return jApiClasses
diff --git a/support/guice/src/main/java/org/apache/shiro/guice/web/GuiceShiroFilter.java b/support/guice/src/main/java/org/apache/shiro/guice/web/GuiceShiroFilter.java
@@ -18,6 +18,7 @@
  */
 package org.apache.shiro.guice.web;
 
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
@@ -31,8 +32,9 @@
  */
 public class GuiceShiroFilter extends AbstractShiroFilter {
     @Inject
-    GuiceShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver filterChainResolver) {
+    GuiceShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver filterChainResolver, ShiroFilterConfiguration filterConfiguration) {
         this.setSecurityManager(webSecurityManager);
         this.setFilterChainResolver(filterChainResolver);
+        this.setShiroFilterConfiguration(filterConfiguration);
     }
 }
diff --git a/support/guice/src/main/java/org/apache/shiro/guice/web/WebGuiceEnvironment.java b/support/guice/src/main/java/org/apache/shiro/guice/web/WebGuiceEnvironment.java
@@ -21,6 +21,7 @@
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
 import org.apache.shiro.web.env.WebEnvironment;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
@@ -35,11 +36,14 @@ class WebGuiceEnvironment implements WebEnvironment {
     private ServletContext servletContext;
     private WebSecurityManager securityManager;
 
+    private ShiroFilterConfiguration filterConfiguration;
+
     @Inject
-    WebGuiceEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager) {
+    WebGuiceEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager, ShiroFilterConfiguration filterConfiguration) {
         this.filterChainResolver = filterChainResolver;
         this.servletContext = servletContext;
         this.securityManager = securityManager;
+        this.filterConfiguration = filterConfiguration;
 
         servletContext.setAttribute(EnvironmentLoaderListener.ENVIRONMENT_ATTRIBUTE_KEY, this);
     }
@@ -59,4 +63,8 @@ public WebSecurityManager getWebSecurityManager() {
     public SecurityManager getSecurityManager() {
         return securityManager;
     }
+
+    public ShiroFilterConfiguration getShiroFilterConfiguration() {
+        return filterConfiguration;
+    }
 }
diff --git a/support/guice/src/test/java/org/apache/shiro/guice/web/GuiceShiroFilterTest.java b/support/guice/src/test/java/org/apache/shiro/guice/web/GuiceShiroFilterTest.java
@@ -19,33 +19,42 @@
 package org.apache.shiro.guice.web;
 
 import com.google.inject.spi.InjectionPoint;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.junit.Test;
 
-import static org.easymock.EasyMock.createMock;
+import static org.mockito.Mockito.mock;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.fail;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
+import static org.mockito.Mockito.when;
 
 public class GuiceShiroFilterTest {
 
     @Test
     public void ensureInjectable() {
         try {
-            InjectionPoint ip = InjectionPoint.forConstructorOf(GuiceShiroFilter.class);
+            InjectionPoint.forConstructorOf(GuiceShiroFilter.class);
         } catch (Exception e) {
             fail("Could not create constructor injection point.");
         }
     }
 
     @Test
     public void testConstructor() {
-        WebSecurityManager securityManager = createMock(WebSecurityManager.class);
-        FilterChainResolver filterChainResolver = createMock(FilterChainResolver.class);
+        WebSecurityManager securityManager = mock(WebSecurityManager.class);
+        FilterChainResolver filterChainResolver = mock(FilterChainResolver.class);
+        ShiroFilterConfiguration filterConfiguration = mock(ShiroFilterConfiguration.class);
+        when(filterConfiguration.isStaticSecurityManagerEnabled()).thenReturn(true);
+        when(filterConfiguration.isFilterOncePerRequest()).thenReturn(false);
 
-        GuiceShiroFilter underTest = new GuiceShiroFilter(securityManager, filterChainResolver);
+        GuiceShiroFilter underTest = new GuiceShiroFilter(securityManager, filterChainResolver, filterConfiguration);
 
         assertSame(securityManager, underTest.getSecurityManager());
         assertSame(filterChainResolver, underTest.getFilterChainResolver());
+        assertTrue(underTest.isStaticSecurityManagerEnabled());
+        assertFalse(underTest.isFilterOncePerRequest());
     }
 }
diff --git a/support/guice/src/test/java/org/apache/shiro/guice/web/ShiroWebModuleTest.java b/support/guice/src/test/java/org/apache/shiro/guice/web/ShiroWebModuleTest.java
@@ -30,6 +30,7 @@
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.realm.Realm;
 import org.apache.shiro.session.mgt.SessionManager;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoader;
 import org.apache.shiro.web.env.WebEnvironment;
 import org.apache.shiro.web.filter.InvalidRequestFilter;
@@ -487,8 +488,8 @@ public static class MyDefaultWebSessionManager extends DefaultWebSessionManager
 
     public static class MyWebEnvironment extends WebGuiceEnvironment {
         @Inject
-        MyWebEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager) {
-            super(filterChainResolver, servletContext, securityManager);
+        MyWebEnvironment(FilterChainResolver filterChainResolver, @Named(ShiroWebModule.NAME) ServletContext servletContext, WebSecurityManager securityManager, ShiroFilterConfiguration filterConfiguration) {
+            super(filterChainResolver, servletContext, securityManager, filterConfiguration);
         }
     }
 

diff --git a/support/guice/src/test/java/org/apache/shiro/guice/web/WebGuiceEnvironmentTest.java b/support/guice/src/test/java/org/apache/shiro/guice/web/WebGuiceEnvironmentTest.java
@@ -19,6 +19,7 @@
 package org.apache.shiro.guice.web;
 
 import com.google.inject.spi.InjectionPoint;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.env.EnvironmentLoaderListener;
 import org.apache.shiro.web.filter.mgt.FilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
@@ -47,13 +48,14 @@ public void testConstructor() {
         WebSecurityManager securityManager = createMock(WebSecurityManager.class);
         FilterChainResolver filterChainResolver = createMock(FilterChainResolver.class);
         ServletContext servletContext = createMock(ServletContext.class);
+        ShiroFilterConfiguration filterConfiguration = createMock(ShiroFilterConfiguration.class);
 
         Capture<WebGuiceEnvironment> capture = Capture.newInstance();
         servletContext.setAttribute(eq(EnvironmentLoaderListener.ENVIRONMENT_ATTRIBUTE_KEY), and(anyObject(WebGuiceEnvironment.class), capture(capture)));
 
         replay(servletContext, securityManager, filterChainResolver);
 
-        WebGuiceEnvironment underTest = new WebGuiceEnvironment(filterChainResolver, servletContext, securityManager);
+        WebGuiceEnvironment underTest = new WebGuiceEnvironment(filterChainResolver, servletContext, securityManager, filterConfiguration);
 
         assertSame(securityManager, underTest.getSecurityManager());
         assertSame(filterChainResolver, underTest.getFilterChainResolver());

diff --git a/support/spring/src/main/java/org/apache/shiro/spring/web/ShiroFilterFactoryBean.java b/support/spring/src/main/java/org/apache/shiro/spring/web/ShiroFilterFactoryBean.java
@@ -24,6 +24,7 @@
 import org.apache.shiro.lang.util.Nameable;
 import org.apache.shiro.lang.util.StringUtils;
 import org.apache.shiro.web.config.IniFilterChainResolverFactory;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.AccessControlFilter;
 import org.apache.shiro.web.filter.InvalidRequestFilter;
 import org.apache.shiro.web.filter.authc.AuthenticationFilter;
@@ -35,6 +36,7 @@
 import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
 import org.apache.shiro.web.mgt.WebSecurityManager;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
+import org.apache.shiro.web.servlet.OncePerRequestFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.BeansException;
@@ -135,15 +137,18 @@ public class ShiroFilterFactoryBean implements FactoryBean, BeanPostProcessor {
 
     private AbstractShiroFilter instance;
 
+    private ShiroFilterConfiguration filterConfiguration;
+
     public ShiroFilterFactoryBean() {
         this.filters = new LinkedHashMap<String, Filter>();
         this.globalFilters = new ArrayList<>();
         this.globalFilters.add(DefaultFilter.invalidRequest.name());
         this.filterChainDefinitionMap = new LinkedHashMap<String, String>(); //order matters!
+        this.filterConfiguration = new ShiroFilterConfiguration();
     }
 
     /**
-     * Sets the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.  This is a
+     * Gets the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.  This is a
      * required property - failure to set it will throw an initialization exception.
      *
      * @return the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.
@@ -162,6 +167,24 @@ public void setSecurityManager(SecurityManager securityManager) {
         this.securityManager = securityManager;
     }
 
+    /**
+     * Gets the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     *
+     * @return the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     */
+    public ShiroFilterConfiguration getShiroFilterConfiguration() {
+        return filterConfiguration;
+    }
+
+    /**
+     * Sets the application {@code ShiroFilterConfiguration} instance to be used by the constructed Shiro Filter.
+     *
+     * @param filterConfiguration the application {@code SecurityManager} instance to be used by the constructed Shiro Filter.
+     */
+    public void setShiroFilterConfiguration(ShiroFilterConfiguration filterConfiguration) {
+        this.filterConfiguration = filterConfiguration;
+    }
+
     /**
      * Returns the application's login URL to be assigned to all acquired Filters that subclass
      * {@link AccessControlFilter} or {@code null} if no value should be assigned globally. The default value
@@ -468,7 +491,7 @@ protected AbstractShiroFilter createInstance() throws Exception {
         //FilterChainResolver.  It doesn't matter that the instance is an anonymous inner class
         //here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts
         //injection of the SecurityManager and FilterChainResolver:
-        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
+        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver, getShiroFilterConfiguration());
     }
 
     private void applyLoginUrlIfNecessary(Filter filter) {
@@ -511,6 +534,10 @@ private void applyGlobalPropertiesIfNecessary(Filter filter) {
         applyLoginUrlIfNecessary(filter);
         applySuccessUrlIfNecessary(filter);
         applyUnauthorizedUrlIfNecessary(filter);
+
+        if (filter instanceof OncePerRequestFilter) {
+            ((OncePerRequestFilter) filter).setFilterOncePerRequest(filterConfiguration.isFilterOncePerRequest());
+        }
     }
 
     /**
@@ -549,12 +576,13 @@ public Object postProcessAfterInitialization(Object bean, String beanName) throw
      */
     private static final class SpringShiroFilter extends AbstractShiroFilter {
 
-        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
+        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver, ShiroFilterConfiguration filterConfiguration) {
             super();
             if (webSecurityManager == null) {
                 throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
             }
             setSecurityManager(webSecurityManager);
+            setShiroFilterConfiguration(filterConfiguration);
 
             if (resolver != null) {
                 setFilterChainResolver(resolver);

diff --git a/...src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebFilterConfiguration.java b/...src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebFilterConfiguration.java
@@ -20,6 +20,7 @@
 
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.config.ShiroFilterConfiguration;
 import org.apache.shiro.web.filter.mgt.DefaultFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -40,6 +41,9 @@ public class AbstractShiroWebFilterConfiguration {
     @Autowired
     protected ShiroFilterChainDefinition shiroFilterChainDefinition;
 
+    @Autowired(required = false)
+    protected ShiroFilterConfiguration shiroFilterConfiguration;
+
     @Autowired(required = false)
     protected Map<String, Filter> filterMap;
 
@@ -56,6 +60,12 @@ protected List<String> globalFilters() {
         return Collections.singletonList(DefaultFilter.invalidRequest.name());
     }
 
+    protected ShiroFilterConfiguration shiroFilterConfiguration() {
+        return shiroFilterConfiguration != null
+                ? shiroFilterConfiguration
+                : new ShiroFilterConfiguration();
+    }
+
     protected ShiroFilterFactoryBean shiroFilterFactoryBean() {
         ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
 
@@ -64,6 +74,7 @@ protected ShiroFilterFactoryBean shiroFilterFactoryBean() {
         filterFactoryBean.setUnauthorizedUrl(unauthorizedUrl);
 
         filterFactoryBean.setSecurityManager(securityManager);
+        filterFactoryBean.setShiroFilterConfiguration(shiroFilterConfiguration());
         filterFactoryBean.setGlobalFilters(globalFilters());
         filterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap());