# Licensed to the Apache Software Foundation (ASF) under one | |
# or more contributor license agreements. See the NOTICE file | |
# distributed with this work for additional information | |
# regarding copyright ownership. The ASF licenses this file | |
# to you under the Apache License, Version 2.0 (the | |
# "License"); you may not use this file except in compliance | |
# with the License. You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, | |
# software distributed under the License is distributed on an | |
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
# KIND, either express or implied. See the License for the | |
# specific language governing permissions and limitations | |
# under the License. | |
This is not an official release notes document. It exists for Shiro developers | |
to jot down their notes while working in the source code. These notes will be | |
combined with Jira's auto-generated release notes during a release for the | |
total set. | |
########################################################### | |
# 1.2.0 | |
########################################################### | |
Backwards Incompatible Changes | |
-------------------------------- | |
- The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed: | |
bindPrincipalsToSession(principals, context) | |
This logic has been moved into a SubjectDAO concept to allow end-users to control | |
exactly how the Session may be used for subject state persistence. This allows a | |
single point of control rather than needing to configure Shiro in multiple places. | |
If you overrode this method in Shiro 1.0 or 1.1, please look at the new | |
org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic. | |
Documentation for this is covered here: | |
http://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState | |
- The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation | |
(enabled by default for all web applications) no longer subclasses | |
org.apache.shiro.session.mgt.AbstractSessionManager. AbstractSessionManager existed | |
originally to consolidate a 'globalSessionTimeout' configuration property for | |
subclasses. However, the ServletContainerSessionManager has been changed to always | |
reflect the session configuration from web.xml (per its namesake). Because web.xml | |
is the definitive source for session timeout configuration, the 'extends' clause | |
was removed to avoid configuration confusion: if someone attempted to configure | |
'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never | |
be honored. It was better to remove the extends clause to ensure that any | |
such configuration would fail fast when Shiro starts up to reflect the invalid config. | |
Potential Breaking Changes | |
-------------------------------- | |
- The org.apache.shiro.web.filter.mgt.FilterChainManager class's | |
addFilter(String name, Filter filter) semantics have changed. It now no longer | |
attempts to initialize a filter by default before adding the filter to the chain. | |
If you ever called this method, you can call the | |
addFilter(name, filter, true) method to achieve the <= 1.1 behavior. | |
- The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating | |
128 random _bytes_ each time the nextBytes() method was called. This is too large for most purposes, so the | |
default has been changed to 16 _bytes_ (which equals 128 bits - what was originally intended). If for some reason | |
you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the | |
'defaultNextByteSize' property to match your desired size (in bytes, NOT bits). | |
- Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes: | |
1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC. | |
CBC is more commonly used for block ciphers today (e.g. SSL). | |
If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config | |
to ensure you can still decrypt previously encrypted data. For example, in code: | |
blockCipherService.setMode(OperationMode.CFB); | |
blockCipherService.setStreamingMode(OperationMode.CFB); | |
or, in shiro.ini: | |
blockCipherService.modeName = CFB | |
blockCipherService.streamingModeName = CFB | |
2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used. | |
If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the | |
previous padding scheme default to ensure you can still decrypt previously encrypted data. For example, in code: | |
blockCipherService.setStreamingPaddingScheme(PaddingScheme.NONE); | |
or, in shiro.ini: | |
blockCipherService.streamingPaddingSchemeName = NoPadding | |
Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is | |
the correct Enum value. | |
########################################################### | |
# 1.1.0 | |
########################################################### | |
Backwards Incompatible Changes | |
-------------------------------- | |
- The org.apache.shiro.web.util.RedirectView class's | |
appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme) | |
method has been changed to accept a StringBuilder argument instead of a | |
StringBuffer per SHIRO-191. RedirectView is considered an internal | |
implementation support class and Shiro end-users should not be affected by this. |