Apache Shiro security framework releases 3.0.0
Hacker News

Apache Shiro security framework releases 3.0.0

Release Announcement

The Apache Shiro team is pleased to announce the release of Apache Shiro version 3.0.0. This release is available for download now.

This is a new major release of Apache Shiro, with many new features and improvements, culminating more than two years of work.

Minimum Requirements and Compatibility

  • JDK 17 is the new minimum baseline
  • Jakarta EE 9/10/11+ (no javax.* namespace)
  • Spring 6/7+ and SpringBoot 3/4+
  • Guice 7/8+

Key New Features and Improvements

  • Using Java Scoped values for Subject and SecurityManager instead of ThreadLocals on JDK 25+
  • Improved thread-safety of Shiro-native sessions (SimpleSession, SimpleSessionFactory, CachingSessionDAO)
  • Made default implementation of PrincipalCollection immutable (ImmutablePrincipalCollection)
  • Case-insensitive path matching is now enabled by default (hardened by default)
  • Added NoAccessFilter and add it to the default filter chain (breaking change, hardened-by-default)
  • Enable CORS preflight requests by default

End-of-Life Notice

Apache Shiro 1.x and 2.x are now considered end-of-life. If support for these versions is required, please check Commercial Support.

Resources

You can learn more on GitHub, Release 3.0.0. Download and verification instructions are available on our download page.

Comments

No comments yet. Start the discussion.