Skip to content

Apache Shiro 1.7.1 released

The Release of Apache Shiro 1.7.1 is out. Why I blog about this? I have been a commiter for the Apache Shiro project for a while now and recently became PMC member. 😊

Read on for information what has changed in Apache Shiro 1.7.1.

Changes

CVE-2020-17523

We fixed a security issue where a specially crafted HTTP request may cause an authentication bypass.

[SHIRO-797] Springboot 2.0.x support

While we test against Spring 2.1+, a simple white space change made Shiro 2.0.x compatible again: spring.factories.

Minor fixes

Some Groovy test classes went into the wrong package when calling the site goal.

We also fixed some tests not running on Java 11 builds due to the use of PowerMockito.

Where to get Apache Shiro

As always, you can get the latest artifacts from maven central. Here’s a pom.xml fragment to get you started.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/maven-v4_0_0.xsd">

  <properties>
    <shiro.version>1.7.1</shiro.version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-spring-boot-starter</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- Enables classes like IniWebEnvironment. -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-web</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- Makes shiro available in jaxrs context. -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-jaxrs</artifactId>
        <version>${shiro.version}</version>
      </dependency>

      <!-- web_fragment.xml for automatic web.xml inclusion (sets up filter and EnvLoader) -->
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-servlet-support</artifactId>
        <version>${shiro.version}</version>
      </dependency>
    </dependencies>
  <dependencyManagement>

</project>

Web links

Published inProgramming / Codingsoftware showcase

One Comment

  1. […] main class which checks if Shiro should handle the path. However, due to a mistake in a bugfix in Apache Shiro 1.7.1, it did not handle trailing slashes correctly anymore. Brian was quick to find and write a fix and […]

Leave a Reply

Your email address will not be published. Required fields are marked *