Skip to content

Apache Shiro 3.0.0 (Vote)

Pre-release
Pre-release

Choose a tag to compare

View all tags
@lprimak lprimak released this 20 Jun 20:27
· 0 commits to main since this release
shiro-root-3.0.0
a0c53ad

Minimum runtime Requirements

  • JDK 17
  • Jakarta EE 9/10/11+ (no javax.* namespace)
  • Spring 6/7+ and SpringBoot 3/4+
  • Guice 7/8+

Breaking Changes:

  • Made default implementation of PrincipalCollection immutable (ImmutablePrincipalCollection)

Security improvements:

  • Case-insensitive path matching is now enabled by default (hardened by default)
  • Added NoAccessFilter and add it to the default filter chain (breaking change, hardened-by-default)
  • [#2799] enh: warn if realm authentication fails by @lprimak in #2798
  • Web RememberMe and Guice Enhancements by @lprimak in #2800
  • Enable CORS preflight requests by default

Other Changes:

  • Modernized Java code to JDK 17 baseline
  • Added fluent API in MergableAuthenticationInfo class
  • Improved thread-safety of Shiro-native sessions (SimpleSession, SimpleSessionFactory, CachingSessionDAO)
  • Multi-Release JAR in order to support different JDK version levels, and JDK 25 Scoped values
  • Using Java Scoped for Subject and SecurityManager instead of ThreadLocals on JDK 25+
  • Separated out ShiroFilterFactoryBeanPostProcessor to fix post processing warnings in Spring
  • Using AssertJ for testing

Removals of deprecated artifacts

  • Removed Shiro BOM - no longer necessary
  • Removed EhCache module in favor of JCache
  • Removed Hazelcast module in favor of JCache
  • Removed deprecated SimplePrincipalCollection class
  • Removed deprecated RandomSessionIdGenerator class
  • Removed deprecated HttpSessionContext class
  • Removed deprecated JavaEnvironment class
  • Removed deprecated XmlSerializer.java class
  • Removed JakartaTransformer class and it's jakartify() method
  • Removed Spring/Boot ShiroUrlPathHelper class
  • Removed Spring/Boot's remoting support
  • Removed Spring/Boot deprecated ShiroRequestMappingConfig class
  • Removed samples and tests associated with deprecated modules

Minimum build requirements

  • JDK 21 (JDK 25 required to release)
  • Jakarta EE 11 (build-time default)
  • Spring 7/SpringBoot 4 (build-time default)
  • Guice 8 (build-time default)

What's Changed

Full Changelog: shiro-root-2.2.1...shiro-root-3.0.0

Contributors

lprimak
Assets 2
Loading