Apache Shiro 2.0 Released
Thursday, 21 March 2024

Apache Shiro 2.0 has been released. The Java security framework now requires at least Java 11, and has added support for Jakarta EE 10.

Shiro is a framework that performs authentication, authorization, cryptography, and session management, and according to the team is designed to manage all facets of your application’s security, while keeping out of the way as much as possible.


The developers say it enables custom behavior wherever you can imagine it, but has been designed to have sensible defaults for everything, and to be as "hands off" as application security can be.

Shiro (the name is Japanese for castle) supports authentication  across one or more pluggable data sources including LDAP, JDBC and ActiveDirectory. It can be used to perform authorization and access control based on roles or fine-grained permissions. The team says Shiro has first-class caching support for enhanced application performance.

Shiro also has built-in POJO-based enterprise session management, and can be used in both web and non-web environments or in any environment where Single Sign On (SSO) or clustered or distributed sessions are desired.

One of Shiro's strong points is its support for heterogeneous client session access, meaning Java developers can avoid using either httpSession or Stateful Session Beans, which the team says often unnecessarily tie applications to specific environments. Flash applets, C# applications, Java Web Start, and Web Applications can now all share session state regardless of the deployment environment.

Simple Single Sign-On (SSO) support makes use of this enterprise session management, meaning that when sessions are federated across multiple applications, the user's authentication state can be shared too.

Shiro keeps the required dependencies minimal; standalone configuration requires only slf4j-api.jar and one of slf4j's binding .jars. Web configuration additionally requires commons-beanutils-core.jar. Feature-based dependencies such as Ehcache caching, Quartz-based Session validation, and Spring dependency injection can be added when needed.

All of Shiro's APIs are interface-based and implemented as POJOs, with the aim of making it easy to configure Shiro Cryptography components with JavaBeans-compatible formats like JSON, YAML, and Spring XML. It also provides a simplified wrapper over JCE, the Java Cryptography Extension.

The main improvements to this version start with the change to use Java 11 as the minimum supported JVM version, along with the addition of Jakarta EE 10 support. In practical terms, the new version uses stronger default password hashing algorithms in the form of Argon2 and BCrypt.

There's a new Jakarta EE integration module, along with support for SpringBoot 3.x, though SpringBoot 2.x is also supported.

Alongside a long list of other minor improvements, the new version also has automatic form resubmission when a session has expired in Jakarta EE.

Shiro 2.0 is available now.


More Information

Apache Shiro

Related Articles

Apache Olingo Adds Java 17 Support

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


ACM Adopts Open Access Publishing Model

ACM, the Association for Computing Machinery, the professional body for computer scientists, has relaunched Communications of the ACM, the organization’s flagship magazine, as a web-first  [ ... ]

Grafana 11 Improves Metrics

Grafana Labs, creators of the Grafana open-source metrics analytics and visualization suite, has announced the preview release of Grafana 11 with improvements to make it easier to view metrics, and ch [ ... ]

More News

raspberry pi books



or email your comment to: comments@i-programmer.info