# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. This is not an official release notes document. It exists for Shiro developers to jot down their notes while working in the source code. These notes will be combined with Jira's auto-generated release notes during a release for the total set. ########################################################### # 1.2.0 ########################################################### Backwards Incompatible Changes -------------------------------- - The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed: bindPrincipalsToSession(principals, context) This logic has been moved into a SubjectDAO concept to allow end-users to control exactly how the Session may be used for subject state persistence. This allows a single point of control rather than needing to configure Shiro in multiple places. If you overrode this method in Shiro 1.0 or 1.1, please look at the new org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic. Documentation for this is covered here: http://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState - The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation (enabled by default for all web applications) no longer subclasses org.apache.shiro.session.mgt.AbstractSessionManager. AbstractSessionManager existed originally to consolidate a 'globalSessionTimeout' configuration property for subclasses. However, the ServletContainerSessionManager has been changed to always reflect the session configuration from web.xml (per its namesake). Because web.xml is the definitive source for session timeout configuration, the 'extends' clause was removed to avoid configuration confusion: if someone attempted to configure 'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never be honored. It was better to remove the extends clause to ensure that any such configuration would fail fast when Shiro starts up to reflect the invalid config. Potential Breaking Changes -------------------------------- - The org.apache.shiro.web.filter.mgt.FilterChainManager class's addFilter(String name, Filter filter) semantics have changed. It now no longer attempts to initialize a filter by default before adding the filter to the chain. If you ever called this method, you can call the addFilter(name, filter, true) method to achieve the <= 1.1 behavior. - The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating 128 random _bytes_ each time the nextBytes() method was called. This is too large for most purposes, so the default has been changed to 16 _bytes_ (which equals 128 bits - what was originally intended). If for some reason you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the 'defaultNextByteSize' property to match your desired size (in bytes, NOT bits). - Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes: 1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC. CBC is more commonly used for block ciphers today (e.g. SSL). If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config to ensure you can still decrypt previously encrypted data. For example, in code: blockCipherService.setMode(OperationMode.CFB); blockCipherService.setStreamingMode(OperationMode.CFB); or, in shiro.ini: blockCipherService.modeName = CFB blockCipherService.streamingModeName = CFB 2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used. If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the previous padding scheme default to ensure you can still decrypt previously encrypted data. For example, in code: blockCipherService.setStreamingPaddingScheme(PaddingScheme.NONE); or, in shiro.ini: blockCipherService.streamingPaddingSchemeName = NoPadding Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is the correct Enum value. ########################################################### # 1.1.0 ########################################################### Backwards Incompatible Changes -------------------------------- - The org.apache.shiro.web.util.RedirectView class's appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme) method has been changed to accept a StringBuilder argument instead of a StringBuffer per SHIRO-191. RedirectView is considered an internal implementation support class and Shiro end-users should not be affected by this.