Apache Shiro 1.8.0 has been released. This article will give a short overview of what has changed since Apache Shiro 1.7.1.
Changes in Apache Shiro 1.8.0
Apache Shiro 1.8.0 is a relatively small release. We fixed two bugs and added one feature.
Apache Shiro: [SHIRO-678] Body parsed without JSESSIONID cookie
[SHIRO-678] - Strings garbled when POST without JSESSIONID cookie
This was one of the first issues I ever created. When posting login data using the mime type application/x-www-form-urlencoded, you can encounter this error. It can happen before Apache Shiro 1.8.0 that your POST body content will be modified the moment it reaches your servlet or JAX-RS method.
However, as Romain Manni-Bucau pointed out, we were (and still are) looking for the JSESSIONID parameter using ServletRequest.getParameter(String name). Usually, Query parameters are the most common parameters in a web request. However, when using form data, form parameters are also considered form parameters. This means, if no cookie with JSESSIONID was found, Apache Shiro was looking in parameters -- which happened to read the body, decode it, and pushed it back without decoding. So many thanks, κύδος and shoutouts to Romain for bringing this up!
To retain a (somewhat) compatible behaviour, we are now doing a very quick check if JSESSIONID or jsessionid is somewhere in the URL (probably a query parameter). It is not a very thorough check, but it does work: The body will not be read, leaving it untampered.
This solves a problem where users of one of my applications could not login with special chars in their passwords, unless they had a JSESSIONID cookie set.
[SHIRO-825] - Trailing slash in URI results in IllegalArgumentException
This is probably one of our more nasty bugs. The PathMatchingFilterChainResolver.java class is the main class which checks if Shiro should handle the path. However, due to a mistake in a bugfix in Apache Shiro 1.7.1, it did not handle trailing slashes correctly anymore. Brian was quick to find and write a fix and add two tests.
Add @Documented to Apache Shiro 1.8.0 authorization annotations
[SHIRO-216] - Add @Documented to Shiro authorization annotations
This was kind of an embarrassing skeleton in the closet. While I was browsing old JIRA issues and marked them as stale/invalid/duplicates, I found SHIRO-216. It was just a matter of adding some @Documented annotations to our own annotation classes (also called @interfaces).
In case you didn't know, it doesn't change any behaviour of Apache Shiro. The only thing it changes is that classes having an @Documented annotation will have javadoc generated which includes our annotation. Before Apache Shiro 1.8.0, classes annotated with any Shiro annotation would not have javadoc where our Apache Shiro annotation class was recorded.
Download Apache Shiro 1.8.0
You can download Shiro 1.8.0 from Maven Central (recommended). For more information, please take a loot at our Apache Shiro Download Page.