| # Licensed to the Apache Software Foundation (ASF) under one | |
| # or more contributor license agreements. See the NOTICE file | |
| # distributed with this work for additional information | |
| # regarding copyright ownership. The ASF licenses this file | |
| # to you under the Apache License, Version 2.0 (the | |
| # "License"); you may not use this file except in compliance | |
| # with the License. You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, | |
| # software distributed under the License is distributed on an | |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
| # KIND, either express or implied. See the License for the | |
| # specific language governing permissions and limitations | |
| # under the License. | |
| This is not an official release notes document. It exists for Shiro developers | |
| to jot down their notes while working in the source code. These notes will be | |
| combined with Jira's auto-generated release notes during a release for the | |
| total set. | |
| ########################################################### | |
| # 1.2.0 | |
| ########################################################### | |
| Backwards Incompatible Changes | |
| -------------------------------- | |
| - The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed: | |
| bindPrincipalsToSession(principals, context) | |
| This logic has been moved into a SubjectDAO concept to allow end-users to control | |
| exactly how the Session may be used for subject state persistence. This allows a | |
| single point of control rather than needing to configure Shiro in multiple places. | |
| If you overrode this method in Shiro 1.0 or 1.1, please look at the new | |
| org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic. | |
| Documentation for this is covered here: | |
| http://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState | |
| - The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation | |
| (enabled by default for all web applications) no longer subclasses | |
| org.apache.shiro.session.mgt.AbstractSessionManager. AbstractSessionManager existed | |
| originally to consolidate a 'globalSessionTimeout' configuration property for | |
| subclasses. However, the ServletContainerSessionManager has been changed to always | |
| reflect the session configuration from web.xml (per its namesake). Because web.xml | |
| is the definitive source for session timeout configuration, the 'extends' clause | |
| was removed to avoid configuration confusion: if someone attempted to configure | |
| 'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never | |
| be honored. It was better to remove the extends clause to ensure that any | |
| such configuration would fail fast when Shiro starts up to reflect the invalid config. | |
| Potential Breaking Changes | |
| -------------------------------- | |
| - The org.apache.shiro.web.filter.mgt.FilterChainManager class's | |
| addFilter(String name, Filter filter) semantics have changed. It now no longer | |
| attempts to initialize a filter by default before adding the filter to the chain. | |
| If you ever called this method, you can call the | |
| addFilter(name, filter, true) method to achieve the <= 1.1 behavior. | |
| - The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating | |
| 128 random _bytes_ each time the nextBytes() method was called. This is too large for most purposes, so the | |
| default has been changed to 16 _bytes_ (which equals 128 bits - what was originally intended). If for some reason | |
| you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the | |
| 'defaultNextByteSize' property to match your desired size (in bytes, NOT bits). | |
| - Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes: | |
| 1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC. | |
| CBC is more commonly used for block ciphers today (e.g. SSL). | |
| If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config | |
| to ensure you can still decrypt previously encrypted data. For example, in code: | |
| blockCipherService.setMode(OperationMode.CFB); | |
| blockCipherService.setStreamingMode(OperationMode.CFB); | |
| or, in shiro.ini: | |
| blockCipherService.modeName = CFB | |
| blockCipherService.streamingModeName = CFB | |
| 2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used. | |
| If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the | |
| previous padding scheme default to ensure you can still decrypt previously encrypted data. For example, in code: | |
| blockCipherService.setStreamingPaddingScheme(PaddingScheme.NONE); | |
| or, in shiro.ini: | |
| blockCipherService.streamingPaddingSchemeName = NoPadding | |
| Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is | |
| the correct Enum value. | |
| ########################################################### | |
| # 1.1.0 | |
| ########################################################### | |
| Backwards Incompatible Changes | |
| -------------------------------- | |
| - The org.apache.shiro.web.util.RedirectView class's | |
| appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme) | |
| method has been changed to accept a StringBuilder argument instead of a | |
| StringBuffer per SHIRO-191. RedirectView is considered an internal | |
| implementation support class and Shiro end-users should not be affected by this. |