Apache Shiro security framework releases 3.0.0
Release Announcement
The Apache Shiro team is pleased to announce the release of Apache Shiro version 3.0.0. This release is available for download now.
This is a new major release of Apache Shiro, with many new features and improvements, culminating more than two years of work.
Minimum Requirements and Compatibility
- JDK 17 is the new minimum baseline
- Jakarta EE 9/10/11+ (no
javax.*namespace) - Spring 6/7+ and SpringBoot 3/4+
- Guice 7/8+
Key New Features and Improvements
- Using Java Scoped values for
SubjectandSecurityManagerinstead ofThreadLocalson JDK 25+ - Improved thread-safety of Shiro-native sessions (
SimpleSession,SimpleSessionFactory,CachingSessionDAO) - Made default implementation of
PrincipalCollectionimmutable (ImmutablePrincipalCollection) - Case-insensitive path matching is now enabled by default (hardened by default)
- Added
NoAccessFilterand add it to the default filter chain (breaking change, hardened-by-default) - Enable CORS preflight requests by default
End-of-Life Notice
Apache Shiro 1.x and 2.x are now considered end-of-life. If support for these versions is required, please check Commercial Support.
Resources
You can learn more on GitHub, Release 3.0.0. Download and verification instructions are available on our download page.
Comments
No comments yet. Start the discussion.