To main content

Apache Shiro 1.9.0 released

Published by Benjamin Marwell on

Apache Shiro 1.9.0 has been released. This article will give a short overview of what has been changed in the build since Apache Shiro 1.8.0.

General Announcement of Apache Shiro 1.9.0

This blog post is only about the changes in the build system. If you want a plain changelog, please see the official announcement.

Changes to the build system in Apache Shiro 1.9.0

Our maven build has beeen revamped and modernized quite a lot. The Apache Maven Team (Karl Heinz Marbaise and Hervé Boutemy) helped us a lot in modernizing our maven scripts. You can learn a lot about Apache Maven by just studying these changes.

[SHIRO-845] - Dependencies for test-jars missing

Some of our Maven modules have dependencies on test-jars. Test jars are artifacts which contain the compiled contents of src/test/*. Depending on such artifacts might be a no-go in some cases, but at least you have to declare them correctly.

Previously, you had to run mvn test to have the tests compiled, otherwise the build would fail. Now you can just use mvn compile and maven will correctly figure out which artifacts it needs to use in which case.

[SHIRO-838] - Create SHA512-Hashes

This one took us a while. The Apache Foundation requires projects to release the complete source code as their primary artifact. This artifact needs to be hashed and signed. With now SHA-1 and MD5 being a relict of the past, we needed to make sure our file gets a SHA-512 hash attached. We had multiple PRs for this one, but in the end upgrading to the latest Apache Parent POM was enough.

Other hashes for primary artifacts

Do NOT attempt to use SHA-512 hashes (or any others) for your primary artifacts. This is neither supported on Maven Central, nor does any tool check for it.

Using the checksum-maven-plugin to created hashes for your primary artifacts, those will be treated as primary artifacts themselves and will be hashed and signed themselves in the deploy phase. This is most likely not what you expected nor wanted.

Hervé gave us a lot of insight and background for this.

[SHIRO-846] - Creation of site takes very long time

Now this bugged us a lot in releases. Releases took often an hour or two, which was not acceptable.

Karl Heinz was so kind to update most of our plugins. He also removed some redundant arguments which resulted in forking of plugins (and therefore duplicate compilation), as well as duplicate goals.

The release time (verify + site) went down from over 20 minutes or more to about eight minutes on my AMD Ryzen 3600X.

[SHIRO-848] - Relative Path in pom.xml is not needed

This is a minor nit, but less is better and convention is better than configuration.

The Issue description is:

Currently in every pom parent a <relativePath>../pom.xml</relativePath> is given which is the default. So this can be removed.
— Karl Heinz Marbaise

So you can imagine what the PR does: Removing <relativePath>../pom.xml</relativePath> 51 times.

[SHIRO-850] - The profile name jdk19-plus is misleading

Shiro was created when Java 1.5 was still a thing. When our team added profile names (e.g. for javadoc compatiblity), most of us hadn’t had future version Java 19 in mind, which isn’t even released yet as of writing this post (2022).

Anyway, when we wrote "19" we meant "1.9" (which was never a thing). Karl Heinz renamed it kindly to just "9".

[SHIRO-842] - shiro-web depends on older log4j

Log4j2 was in everyone’s news at some point in the past. We still used log4j 1.x for a few tests.

While we do not think this was a problem from a security point of view as this was only a test dependency, some sites did show a warning to users.

The PR took a while to work as expected, but in the end we were to include it.

[SHIRO-862] - Replace Google Analytics with Matomo for new Javadocs

Now this is a rather unconventional commit. The ASF now runs a public Matomo instance, so projects do not need to rely on Google Analytics anymore.

We switched out the code for new Javadoc files to include the Matomo tracking code instead. Additionally, we switched every old page as well (commit is in the apache/shiro-site repository) so you will never get tracked by us with Google Analytics again.

[SHIRO-854] - Konfiguration includes/excludes maven-failsafe-plugin can be reduced to default

This is another gem for Maven beginners and easy to miss. It also goes by »convention over configuration«.

Karl Heinz spotted that our failsafe-plugin’s configuration is a copy of the default configuration for this plugin. Hence, removing the redundant configuration (German: Konfiguration with a capital »K«) was a no-brainer.


While Shiro 1.9.0 only fixes one or two bugs, it excels at being a great showcase for cleaning up maven configuration!

Do you know anything else we should do? Send us a tweet: