# Licensed to the Apache Software Foundation (ASF) under one | |
# or more contributor license agreements. See the NOTICE file | |
# distributed with this work for additional information | |
# regarding copyright ownership. The ASF licenses this file | |
# to you under the Apache License, Version 2.0 (the | |
# "License"); you may not use this file except in compliance | |
# with the License. You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, | |
# software distributed under the License is distributed on an | |
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
# KIND, either express or implied. See the License for the | |
# specific language governing permissions and limitations | |
# under the License. | |
This is not an official release notes document. It exists for Shiro developers | |
to jot down their notes while working in the source code. These notes will be | |
combined with Jira's auto-generated release notes during a release for the | |
total set. | |
########################################################### | |
# 1.7.1 | |
########################################################### | |
Bug | |
[SHIRO-797] - Shiro 1.7.0 is lower than using springboot version 2.0.7 dependency error | |
########################################################### | |
# 1.7.0 | |
########################################################### | |
Bug | |
[SHIRO-767] - org.apache.shiro.util.ClassUtil cannot load the array of Primitive DataType when use undertown as web container | |
[SHIRO-792] - ShiroWebFilterConfiguration seems to conflict with other FilterRegistrationBean | |
New Feature | |
[SHIRO-789] - Also add cookie SameSite option to Spring | |
Improvement | |
[SHIRO-740] - SslFilter with HTTP Strict Transport Security (HSTS) | |
[SHIRO-794] - Add system property to enable backslash path normalization | |
[SHIRO-795] - Disable session path rewriting by default | |
Task | |
[SHIRO-793] - deleteMe cookie should use the defined "sameSite" | |
########################################################### | |
# 1.6.0 | |
########################################################### | |
Bug | |
[SHIRO-610] - Incorrect filterchainResolver in 1.4.0-RC2 | |
[SHIRO-762] - SecurityUtils.securityManager should be volatile | |
[SHIRO-766] - ArrayIndexOutOfBoundsException in Base64#decode | |
New Feature | |
[SHIRO-788] - Add support for Global Filters | |
Wish | |
[SHIRO-780] - NOTICE files of shiro components don't match NOTICE in source code repository | |
########################################################### | |
# 1.5.3 | |
########################################################### | |
Bug | |
[SHIRO-530] - INI parser does not properly handled backslashes at end of values | |
[SHIRO-751] - SimplePrincipalMap and SimplePrincipalCollection throw different exceptions for the same problem | |
[SHIRO-753] - Regression in URI parsing in Shiro 1.5.2 | |
Dependency upgrade | |
[SHIRO-754] - Upgrade to Apache Commons Codec 1.14 | |
[SHIRO-755] - Upgrade to Hazelcast 3.12.6 | |
[SHIRO-756] - Upgrade to Spring 5.2.5.RELEASE and Spring boot 2.2.6.RELEASE | |
[SHIRO-757] - Upgrade to Htmlunit 2.39.0 | |
[SHIRO-758] - Upgrade to Jetty 9.4.27.v20200227 | |
[SHIRO-759] - Upgrade to Karaf 4.2.8 | |
########################################################### | |
# 1.5.2 | |
########################################################### | |
Bug | |
[SHIRO-747] - FirstSuccessfulStrategy doesn't properly short circuit | |
[SHIRO-749] - shiro-all jar is missing cache package | |
Improvement | |
[SHIRO-748] - Update Commons Configuration to 2.7 | |
########################################################### | |
# 1.5.1 | |
########################################################### | |
Bug | |
[SHIRO-736] - DefaultCipherInstance is an alias which is not available in every JVM or JCA Provider | |
[SHIRO-739] - Bean reflection property failed with Enum values | |
[SHIRO-741] - Matching of / (root) is broken | |
[SHIRO-742] - fix throw exception when request uri is / | |
Dependency upgrade | |
[SHIRO-738] - Upgrade to Spring 5.2.3.RELEASE and Spring boot 2.2.4.RELEASE | |
########################################################### | |
# 1.5.0 | |
########################################################### | |
Notes: this release require a JRE 8 minimum. | |
Bug | |
[SHIRO-458] - Possible leaked timing information from DefaultPasswordService | |
[SHIRO-469] - Wrong description of JdbcRealm#setPermissionsQuery | |
[SHIRO-552] - JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes | |
[SHIRO-661] - Add check for the principal of subject whether is null | |
[SHIRO-682] - fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect | |
[SHIRO-684] - INI parser keeps escape characters in keys and values | |
[SHIRO-685] - Potential NullPointerException if PermissionResolver return null/empty string | |
[SHIRO-687] - Additional Servlet Filters are not available to ShiroFilterFactorBean (unless using XML based beans) | |
New Feature | |
[SHIRO-694] - Adds BearerToken support | |
[SHIRO-722] - Add SameSite option to cookies | |
Improvement | |
[SHIRO-668] - Catch unexpected errors which can lead to oom | |
[SHIRO-669] - Included a boolean flag in FirstSuccessfulStrategy to break after first successful authentication | |
[SHIRO-670] - ByteSource Serializable | |
[SHIRO-681] - Upgrade to compiler Java 8 | |
[SHIRO-693] - Update plugins | |
[SHIRO-700] - Minor spring updates | |
[SHIRO-706] - Switch to Guice4 by default in the build | |
[SHIRO-709] - Fix Shiro Spring feature | |
[SHIRO-710] - Update Commons Lang3 + remove older Commons Lang | |
[SHIRO-711] - Deprecate JavaEnvironment | |
[SHIRO-712] - Add BasicIniEnvironment | |
[SHIRO-715] - Remove old JSTL jars | |
[SHIRO-720] - Update Commons BeanUtils | |
[SHIRO-724] - Update Jetty, Spring, Spring Boot, Htmlunit dependencies | |
[SHIRO-726] - Add dynamic import package | |
[SHIRO-728] - Update Spring Boot to 2.1.10 | |
[SHIRO-729] - Update Quartz | |
[SHIRO-730] - Updates the default Cipher mode to GCM in AesCipherService | |
[SHIRO-731] - Use OWasp Java Encoder to escape user supplied content to the logs | |
Test | |
[SHIRO-697] - Reduce shiro test logging level to INFO | |
Task | |
[SHIRO-690] - Validate JDK11 compatibility | |
[SHIRO-692] - Upgrade and enforce min buid maven version to 3.5.0 | |
[SHIRO-698] - Improve build with maven profile | |
[SHIRO-734] - Remove Spring-client sample | |
[SHIRO-735] - Shiro does not support servlet-3.1 void method(@Suspended AsyncResponse) | |
Dependency upgrade | |
[SHIRO-688] - Upgrade to commons-cli 1.4 | |
[SHIRO-689] - Upgrade to commons-codec 1.12 | |
[SHIRO-691] - Upgrade to maven-jar-plugin 3.1.1 | |
[SHIRO-695] - Update Hazelcast | |
[SHIRO-696] - Update Jetty | |
[SHIRO-699] - Fix maven warning for exec-maven-plugin and upgrade to 1.6.0 | |
[SHIRO-701] - Update logback | |
[SHIRO-702] - Upgrade to jacoco-maven-plugin 0.8.4 | |
[SHIRO-703] - Update HSQL | |
[SHIRO-704] - Update Spring, Spring Boot, Hibernate | |
[SHIRO-705] - Update Easymock + Powermock | |
[SHIRO-707] - Misc dependency updates | |
[SHIRO-716] - Upgrade to commons-codec 1.13 | |
[SHIRO-717] - Upgrade to maven-pmd-plugin 3.12.0 | |
[SHIRO-718] - Upgrade to xmlsec 2.1.4 | |
[SHIRO-719] - Upgrade to Karaf 4.2.6 | |
Request | |
[SHIRO-723] - Provide Minor Shiro Release that includes CVE-2019-10086 Fix | |
########################################################### | |
# 1.4.2 | |
########################################################### | |
Bug | |
[SHIRO-721] - RememberMe Padding Oracle Vulnerability | |
Improvement | |
[SHIRO-730] - Updates the default Cipher mode to GCM in AesCipherService | |
########################################################### | |
# 1.4.1 | |
########################################################### | |
Bug | |
[SHIRO-457] - Login without static VM security manager cause exception in debug | |
[SHIRO-563] - shiro-aspectj karaf feature can't be installed | |
[SHIRO-624] - OSGI: commons configuration import should be optional | |
[SHIRO-626] - Bundle symbolic name conflict | |
[SHIRO-637] - Refresh cached session in HTTP request after user logs out | |
[SHIRO-650] - Shiro JAX-RS is not an OSGi bundle | |
[SHIRO-653] - Spring-boot registers shiro filter only on REQUEST dispatcher | |
[SHIRO-655] - shiro-core has an undesirable runtime OSGi dependency to spring-beans | |
[SHIRO-658] - Problems building shiro on openjdk-8 on current debian stable (9.6 "stretch") | |
[SHIRO-660] - Bug in FirstSuccessfulStrategy | |
[SHIRO-680] - Duplicate Bundle-SymbolicName for Different Shiro Modules | |
New Feature | |
[SHIRO-638] - Update osgi bundle manifest to support Spring 4.x | |
Improvement | |
[SHIRO-560] - Shiro-web feature can't be installed in karaf 4.0.4 | |
[SHIRO-652] - Upgrade Shiro Feature to Karaf 4.x | |
[SHIRO-664] - Upgrade to Apache pom parent 21 | |
[SHIRO-665] - Upgrade to maven-bundle-plugin 4.1.0 | |
[SHIRO-667] - Upgrade to Spring 4.3.22-RELEASE | |
[SHIRO-672] - Upgrade to jacoco-maven-plugin 0.8.3 | |
[SHIRO-673] - Upgrade to maven-compiler-plugin 3.8.0 | |
[SHIRO-674] - Upgrade to maven-dependency-plugin to 3.1.1 | |
[SHIRO-675] - Upgrade to maven-surefire-plugins 3.0.0-M3 | |
[SHIRO-676] - Upgrade to maven-jar-plugin 3.1.0 | |
[SHIRO-677] - Upgrade to versions-maven-plugin 2.7 | |
[SHIRO-683] - Upgrade to spring-boot 1.5.19.RELEASE | |
Task | |
[SHIRO-662] - Constant Name Change in AuthenticationRealm | |
[SHIRO-663] - Clean up pom parent relative path | |
Dependency upgrade | |
[SHIRO-659] - Upgrade to OWASP dependency-check-maven plugin 4.0.0 | |
########################################################### | |
# 1.4.0 | |
########################################################### | |
Bug | |
[SHIRO-559] - shiro-guice violates the JEE specification | |
[SHIRO-579] - Permission filter is validating last matched path | |
[SHIRO-603] - Endless recursion in ShiroSecurityContext.getUserPrincipal() | |
[SHIRO-605] - ShiroWebModule creates out of order filter chain. | |
[SHIRO-607] - AuthorizationAttributeSourceAdvisor ignores type-annotations | |
[SHIRO-608] - Use a ServiceLoader to discover WebEnvironments | |
[SHIRO-611] - Spring web module does not load correct SessionStorageEvaluator | |
Improvement | |
[SHIRO-596] - shiro-tools-hasher needs private salt option | |
[SHIRO-618] - Spring Boot Web Starter- Autoconfiguration for Realm and ShiroFilterChainDefinition | |
########################################################### | |
# 1.4.0-RC2 | |
########################################################### | |
Bug | |
[SHIRO-493] - shiro-guice not working with the guice 4.x | |
[SHIRO-576] - Commons-beanutils dependency is not security compliant | |
[SHIRO-586] - Can't Search For Groups In Active Directory Without A System User | |
[SHIRO-587] - Can't Access Groups If userPrincipalName Doesn't Exist | |
[SHIRO-591] - Basic Auth Filter permissive mode does NOT work | |
[SHIRO-592] - ModularRealmAuthenticator causes log spam when one realm throws exception | |
[SHIRO-593] - Allow for IniWebEnvironment subclasses to specify defaults objects to ReflectionBuilder | |
[SHIRO-594] - Update Hazelcast version to latest supported version (3.7.2) | |
[SHIRO-595] - Allow for POST only logout requests | |
[SHIRO-612] - Need to upgrade BeanUtils to avoid vulnerability | |
New Feature | |
[SHIRO-501] - Add ability to set system properties in shiro.ini | |
[SHIRO-589] - Add Servlet 3.x fragment | |
[SHIRO-590] - Add Spring Boot support / starters | |
Improvement | |
[SHIRO-296] - Typo fixes | |
[SHIRO-301] - Call permissionResolver directly in AuthorizingRealm | |
[SHIRO-392] - Shiro Extension for JAX-RS | |
[SHIRO-599] - Fix file encoding warnings during maven build and reporting | |
########################################################### | |
# 1.3.2 | |
########################################################### | |
Bug | |
[SHIRO-584] - URL Path matching issue with WebUtils.getPathWithinApplication | |
########################################################### | |
# 1.3.1 | |
########################################################### | |
Bug | |
[SHIRO-577] - Regression - Unable to set custom SessionValidationScheduler | |
[SHIRO-581] - Improve log message when remember me cipher has changed | |
########################################################### | |
# 1.3.0 | |
########################################################### | |
Bug | |
[SHIRO-373] - Complete CAS remember-me support | |
[SHIRO-397] - SingleArgumentMethodEventListenerTest fails | |
[SHIRO-421] - Unable to set long timeouts on HttpServletSession | |
[SHIRO-435] - SecurityManager is not a singleton in ShiroWebModule | |
[SHIRO-473] - DefaultAnnotationResolver.getAnnotation throws NullPointerException | |
[SHIRO-480] - setTarget method in DomainPermission does not set targets | |
[SHIRO-483] - passwordsMatch() returns false with right plain password-encrypted password in JVM with default locale tr_TR | |
[SHIRO-502] - OSGi import of com.google.inject in shiro-guice has incorrect version range | |
[SHIRO-513] - Misleading error message when using custom WebEnvironment | |
[SHIRO-515] - ExecutorServiceSessionValidationScheduler leaks resources due to improper synchronization | |
[SHIRO-547] - Use MessageDigest#isEqual() instead of Arrays#equals() for comparing digests | |
[SHIRO-568] - hash iterations is calculated wrongly in SimpleHash | |
[SHIRO-570] - SimpleCookie should check the path of the cookie | |
New Feature | |
[SHIRO-200] - Add ability to configure basic authentication for specific HTTP methods | |
[SHIRO-395] - Add an Event Bus for event publishing and low-coupling for custom components/plugins. | |
[SHIRO-412] - Hazelcast-based caching and session clustering | |
[SHIRO-436] - Add EnvironmentLoader finalizeEnvironment method | |
Improvement | |
[SHIRO-278] - Rename JndiLdapRealm to DefaultLdapRealm | |
[SHIRO-300] - WildcardPermission: change visibility of field 'parts' to protected | |
[SHIRO-361] - HttpServletResponse.encodeURL: only append JSESSIONID when necessary | |
[SHIRO-428] - AuthorizingRealm "no cache" logging should be at DEBUG level, not INFO, OR is should log only once | |
[SHIRO-437] - WildcardPermission: conformed toString | |
[SHIRO-514] - ExecutorServiceSessionValidationScheduler should create threads with a configurable name | |
[SHIRO-564] - WildcardPermission case-insensitive makes parts collections twice | |
[SHIRO-566] - CollectionUtils should use Collections wrappers of arrays if possible | |
Task | |
[SHIRO-208] - Correct JDK 1.5 / 1.6 incompatibilities | |
[SHIRO-320] - Add an example for using Guice integration. | |
[SHIRO-571] - Mark shiro-cas deprecated (replaced with buji-pac4j) | |
########################################################### | |
# 1.2.6 | |
########################################################### | |
Bug | |
[SHIRO-545] - JavaEnvironment version getter | |
[SHIRO-567] - shiro-root-1.2.5.pom uses invalid encoding, fails to parse with Gradle 2.14 | |
########################################################### | |
# 1.2.5 | |
########################################################### | |
Bug | |
[SHIRO-443] - SessionValidationScheduler created multiple times, enabling it is not thread safe | |
[SHIRO-462] - Authentication exceptions are swallowed | |
[SHIRO-467] - Authentication exception gets swallowed | |
[SHIRO-550] - Randomize default remember me cipher | |
Improvement | |
[SHIRO-504] - Java 8 support | |
[SHIRO-516] - Explicitly specify the version of aspectjtools to avoid build warning | |
[SHIRO-562] - WildcardPermission calls String.trim() twice in setParts() | |
########################################################### | |
# 1.2.4 | |
########################################################### | |
Bug | |
[SHIRO-517] - Caused by: java.lang.NoClassDefFoundError: Lcom/google/inject/internal/util/$ImmutableList; | |
[SHIRO-518] - Shiro-CAS: Security Problem in cas-client-core versions older than 3.3.2 | |
[SHIRO-556] - https://shiro.apache.org/realm.html appears to link to the javadoc under static/current/apidocs not static/latest | |
Improvement | |
[SHIRO-332] - Change access level of method 'isPermitted' in org.apache.shiro.realm.AuthorizingRealm (line 461) from private to protected | |
[SHIRO-496] - Update shiro.guice dependency | |
[SHIRO-498] - ThreadLocal should not be created when not necessary | |
########################################################### | |
# 1.2.2 | |
########################################################### | |
Bug: | |
[SHIRO-316] - Annotations in samples-aspectj Project Does not Work | |
[SHIRO-351] - Shiro Native Session implementation cannot extract JSESSIONID From URL if JSESSIONID is URL parameter (not HTTP parameter) | |
[SHIRO-379] - SimpleAccoutRealm concurrency access to roles and users | |
[SHIRO-380] - runAs feature (still) doesn't work | |
[SHIRO-387] - EnvironmentLoader destroys wrong environment | |
[SHIRO-388] - Stackoverflow org.apache.shiro.session.SessionListener.onStop() | |
[SHIRO-389] - Fix OSGI Exports for shiro-ehcache | |
[SHIRO-390] - OSGi Import for JSP (javax.servlet.jsp) should be declared optional | |
[SHIRO-394] - PropertiesRealm reloading not working when loading from file | |
[SHIRO-399] - Memory leak for invalid sessions | |
[SHIRO-403] - Trunk will not build under JDK 1.7 due to webstart plugin | |
[SHIRO-413] - init() method is not called on class that implements org.apache.shiro.util.Initializable | |
[SHIRO-415] - isLoginAttempt method in BasicHttpAuthenticationFilter class fails if used in any locale other than English | |
[SHIRO-418] - Javadoc typo in JdbcRealm.SaltStyle | |
[SHIRO-423] - INI ReflectionBuilder should not wrap reference values | |
[SHIRO-429] - perms filter parsing is too sensitive to a trailing space | |
[SHIRO-431] - please use git ignore | |
[SHIRO-447] - Broken Javadoc links | |
########################################################### | |
# 1.2.1 | |
########################################################### | |
Bug: | |
[SHIRO-341] - ReflectionBuilder has invalid log message format | |
[SHIRO-342] - Running the example as described at http://shiro.apache.org/10-minute-tutorial.html fails | |
[SHIRO-344] - runAs feature doesn't work | |
[SHIRO-350] - Creating a subject should not create a session | |
[SHIRO-353] - DefaultSecurityManager has invalid SLF4J log instruction | |
[SHIRO-354] - Authentication cache | |
[SHIRO-358] - Source Tarball doesn't Build | |
[SHIRO-363] - PasswordMatcher should support character arrays | |
[SHIRO-368] - DomainPermission(string, string) constructor sets targets to the same value as actions | |
[SHIRO-375] - Basic authentication issue when using COLON character | |
[SHIRO-376] - shiro-cas feature should not depend on shiro-cas | |
[SHIRO-377] - PropertiesRealm unable to reload Properties | |
########################################################### | |
# 1.2.0 | |
########################################################### | |
Backwards Incompatible Changes | |
-------------------------------- | |
- The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed: | |
bindPrincipalsToSession(principals, context) | |
This logic has been moved into a SubjectDAO concept to allow end-users to control | |
exactly how the Session may be used for subject state persistence. This allows a | |
single point of control rather than needing to configure Shiro in multiple places. | |
If you overrode this method in Shiro 1.0 or 1.1, please look at the new | |
org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic. | |
Documentation for this is covered here: | |
http://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState | |
- The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation | |
(enabled by default for all web applications) no longer subclasses | |
org.apache.shiro.session.mgt.AbstractSessionManager. AbstractSessionManager existed | |
originally to consolidate a 'globalSessionTimeout' configuration property for | |
subclasses. However, the ServletContainerSessionManager has been changed to always | |
reflect the session configuration from web.xml (per its namesake). Because web.xml | |
is the definitive source for session timeout configuration, the 'extends' clause | |
was removed to avoid configuration confusion: if someone attempted to configure | |
'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never | |
be honored. It was better to remove the extends clause to ensure that any | |
such configuration would fail fast when Shiro starts up to reflect the invalid config. | |
Potential Breaking Changes | |
-------------------------------- | |
- The org.apache.shiro.web.filter.mgt.FilterChainManager class's | |
addFilter(String name, Filter filter) semantics have changed. It now no longer | |
attempts to initialize a filter by default before adding the filter to the chain. | |
If you ever called this method, you can call the | |
addFilter(name, filter, true) method to achieve the <= 1.1 behavior. | |
- The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating | |
128 random _bytes_ each time the nextBytes() method was called. This is too large for most purposes, so the | |
default has been changed to 16 _bytes_ (which equals 128 bits - what was originally intended). If for some reason | |
you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the | |
'defaultNextByteSize' property to match your desired size (in bytes, NOT bits). | |
- Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes: | |
1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC. | |
CBC is more commonly used for block ciphers today (e.g. SSL). | |
If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config | |
to ensure you can still decrypt previously encrypted data. For example, in code: | |
blockCipherService.setMode(OperationMode.CFB); | |
blockCipherService.setStreamingMode(OperationMode.CFB); | |
or, in shiro.ini: | |
blockCipherService.modeName = CFB | |
blockCipherService.streamingModeName = CFB | |
2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used. | |
If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the | |
previous padding scheme default to ensure you can still decrypt previously encrypted data. For example, in code: | |
blockCipherService.setStreamingPaddingScheme(PaddingScheme.NONE); | |
or, in shiro.ini: | |
blockCipherService.streamingPaddingSchemeName = NoPadding | |
Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is | |
the correct Enum value. | |
########################################################### | |
# 1.1.0 | |
########################################################### | |
Backwards Incompatible Changes | |
-------------------------------- | |
- The org.apache.shiro.web.util.RedirectView class's | |
appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme) | |
method has been changed to accept a StringBuilder argument instead of a | |
StringBuffer per SHIRO-191. RedirectView is considered an internal | |
implementation support class and Shiro end-users should not be affected by this. |