To main content

Apache Shiro 1.7.1 released

Published by Benjamin Marwell on

The Release of Apache Shiro 1.7.1 is out. Why I blog about this? I have been a commiter for the Apache Shiro project for a while now and recently became PMC member. 😊

Read on for information what has changed in Apache Shiro 1.7.1.

Changes

CVE-2020-17523

We fixed a security issue where a specially crafted HTTP request may cause an authentication bypass.

[SHIRO-797] Springboot 2.0.x support

While we test against Spring 2.1+, a simple white space change made Shiro 2.0.x compatible again: spring.factories.

Minor fixes

Some Groovy test classes went into the wrong package when calling the site goal.

We also fixed some tests not running on Java 11 builds due to the use of PowerMockito.

Where to get Apache Shiro

As always, you can get the latest artifacts from maven central. Here’s a pom.xml fragment to get you started.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/maven-v4_0_0.xsd">

  <properties>
    <shiro.version>1.7.1</shiro.version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-spring-boot-starter</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- Enables classes like IniWebEnvironment. -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-web</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- Makes shiro available in jaxrs context. -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-jaxrs</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- web_fragment.xml for automatic web.xml inclusion (sets up filter and EnvLoader) -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-servlet-support</artifactId>
        <version>${shiro.version}</version>
      </dependency>
    </dependencies>
  <dependencyManagement>

</project>

Web links