+1
On Thu, Feb 8, 2024 at 1:59 AM Francois Papon
wrote:
> +1
> On 07/02/2024 01:55, le...@flowlogix.com wrote:
>
> Proposal: Release Shiro 2.x Beta
> Since docs are well on their way and there are no more showstoppers…
> What do you think?
>
>
nown
> Affected Software Configurations" (listing CPEs) that formally declares
> that 1.13.0 is safe. Without it, no tool can reliably report that my
> project using 1.13.0 is fine.
>
> Does Apache have a chance to get this entry corrected?
>
> On 2024/01/12 16:21:39 Brian Demers
Severity: low
Affected versions:
- Apache Shiro before 1.13.0
- Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4
Description:
Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path
traversal attack that results in an authentication bypass when used together
with path
Severity: moderate
Affected versions:
- Apache Shiro before 1.13.0
- Apache Shiro 2.0.0-alpha-1 before 2.0.0-alpha-4
Description:
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form"
authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or
Great idea!
On Fri, Nov 3, 2023 at 4:17 PM Francois Papon
wrote:
> Hi Brian,
>
> Very nice maven cmd to verify the stagging release!
>
> I will add it into the release guide on ASF Confluence :)
>
> regards,
>
> François
>
> On 02/11/2023 18:49, Br
+1 (binding)
I checked the build for reproducibility (based on recommendations
from Hervé Boutemy at Community Over Code - ApacheCon).
Assuming I ran the command correctly, I checked the 1.13.0 tag and source
dist by running:
mvn install artifact:compare -Pdocs,apache-release -DskipITs
Severity: important
Affected versions:
- Apache Shiro before 1.12.0
- Apache Shiro before 2.0.0-alpha-3
Description:
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path
traversal attack that results in an authentication bypass when used together
with APIs or other web
For that version, users are expected to update to a newer minor version.
On Wed, Jul 19, 2023 at 4:43 PM Mihir Chhaya wrote:
> Thank you for your response. Following is the link I am referring to for
> the Shiro Vulnerabilities associated with respective versions.
>
>
+1 (binding)
On Tue, Jul 11, 2023 at 9:57 AM fpapon wrote:
> This is a call to vote in favor of releasing Apache Shiro version 1.12.0.
>
> We solved 1 Issue:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950=12353403
>
> Maven Staging repo:
>
+1
On Fri, Jan 20, 2023 at 5:25 AM fpapon wrote:
> Hi,
>
> After several discussion on the mailing, I would like to start a vote to
> set the minimal version of the JDK to the version 11 starting to Shiro 2.x.
>
> Vote open for 72 hours:
>
> [ ] +1 (set JDK11 min version for Shiro 2.x)
> [ ] +0
You may want to ask in one of the Jena lists. But from a quick read of the
docs, it looks like you could provide a custom implementation of a Realm
similar to the example I provided.
I haven't used Jena, and I don't know how these systems are used, so I
don't want to suggest something if they
Can you describe your use case a bit more? I'm not 100% sure what you mean
by "Shiro embedded into Jena into Keycloak"
If you just need to validate a JWT passed as a bearer token (i.e. an
`Authorization` header with the `Bearer` prefix), you can do that.
Here is an example I created for Okta (you
The Apache Shiro team is pleased to announce the release of Apache Shiro
version 1.11.0.
This is a feature release for 1.x.
This release solves 3 issues since the 1.11.0 release and is available for
download now[1].
This release includes classifiers for the Jakarta namespace.
CVE-2023-22602
Description:
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different
pattern-matching techniques. Both Shiro and Spring Boot < 2.6
Was the problem the charset?
On Tue, Oct 25, 2022 at 2:35 PM David Bonnafous wrote:
>
> searching more deeply... reading the web and the doc...
> I found a solution in the Tomcat doc.
> https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Add_Default_Character_Set_Filter
>
> Thank you.
>
I'll take a guess, but to be sure, you would probably need to set a
breakpoint in the DefaultLdapRealm class.
The default character encoding defined in the servlet spec is
ISO-8859-1, any password form you have may need to explicitly set the
character set:
It was pushed out, it needs a little more work.
If you are interested in helping test it out, jump over to the dev list!
https://shiro.apache.org/mailing-lists.html
On Wed, Oct 12, 2022 at 12:31 PM Julian Fernandez
wrote:
> Hi all,
>
> I wanted to confirm whether the Jakarta-packaged Shiro
The Shiro team is pleased to announce the release of Apache Shiro version 1
.10.0.
This security release contains 7 fixes since the 1.9.1 release and is
available for Download now [1].
CVE-2022-40664:
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro
when forwarding or
The Shiro team is pleased to announce the release of Apache Shiro version
1.9.1.
This security release contains 6 fixes since the 1.9.0 release and is
available for Download now [1].
Improvement
* [SHIRO-871] - ActiveDirectoryRealm - append suffix only if missing
from username
*
Thanks for reaching out Alex!
There was another thread recently on the topic:
https://lists.apache.org/thread/bfx1df1ykf1r91xr33h836dpyg83fq15
If you are interested in helping out with the effort let us know!
-Brian
On Wed, Jun 22, 2022 at 5:32 AM Alex Orlov wrote:
> Hello.
>
> Could anyone
Sorry for the delay Andreas!
This is a great idea, I've created an issue:
https://issues.apache.org/jira/browse/SHIRO-871
and made a quick pass at a PR based on your patch:
https://github.com/apache/shiro/pull/350
Thanks Again!
On Sun, Mar 6, 2022 at 7:55 PM Andreas Reichel <
+1 (binding)
Thanks Francois!!
On Thu, Mar 17, 2022 at 12:17 PM Jean-Baptiste Onofré
wrote:
> +1 (binding)
>
> Thanks,
> Regards
> JB
>
> On Wed, Mar 16, 2022 at 1:55 PM Francois Papon <
> francois.pa...@openobject.fr>
> wrote:
>
> > This is a call to vote in favor of releasing Apache Shiro
ree with that, I can cancel the vote and restart it next week?
>
> regards,
>
> On 11/03/2022 05:31, Brian Demers wrote:
>> Good catch on the notice and the release notes!
>>
>> I think we should respin the release because of this, these files are
>> included in the
Good catch on the notice and the release notes!
I think we should respin the release because of this, these files are
included in the source-zip (even though the last release missed them)
Sorry Francois, I know you have already done this twice,I can volunteer to
help next week when I'm back at my
Hi!
Shiro's JAX-RS support requires the use of a servlet stack, (or an
equivalent filter in your application)
This can be auto configured if your container supports it:
https://github.com/apache/shiro/blob/1.8.x/samples/jaxrs/pom.xml#L69-L72
Otherwise you can configure a web.xml, similar to
ractical to look at separating the Spring library from the rest
> >> of Shiro?
> >> It seems like we see a fair number of vulnerabilities for the Spring
> >> code which don't affect other modules / usage.
> >>
> >> Best regards,
> >>
> >
ch don't affect other modules / usage.
>
> Best regards,
>
> Philip Whitehouse
>
> On 2021-09-16 21:19, Brian Demers wrote:
> > Description:
> >
> > Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
> > specially crafted HTTP request
Description:
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a
specially crafted HTTP request may cause an authentication bypass.
Users should update to Apache Shiro 1.8.0.
Credit:
Apache Shiro would like to thank tsug0d for reporting this issue.
+1 to remove
JSF support could be done in a third-party repo until it gains more
support/usage (and a few folks to help maintain it)
(said third-party repo could also be pushed to Maven Central)
Another option is to create a `apache/shiro-labs` git repo to test out
ideas for things that are NOT
Where you able to get the log output?
On Fri, Jun 18, 2021 at 3:50 PM alina.frey wrote:
> A little update with my discoveries so far.
>
> The code breaks when upgrading from shiro 1.2.6 to shiro 1.3.0.
>
> I was able to access the server side as soon as I modified the URLs in
> Shiro.ini to
You have two SLF4J implements on your class path, I’m guessing you need to
remove SLF4J-simple.
-Brian
> On May 31, 2021, at 9:59 AM, alina.frey wrote:
>
> I have slf4j-log4j12-1.7.9.jar alongside log4j-1.2.17.jar.
> Please see attached an image of all the libraries that are included in the
Do you have the SLF4J log4j implementation on your class path?
http://logging.apache.org/log4j/2.x/log4j-slf4j-impl/
-Brian
> On May 28, 2021, at 3:28 PM, alina.frey wrote:
>
> I set up Shiro to the last working version: shiro-all-1.2.6.jar
> Set logging to DEBUG, in log4j.properties:
>
> #
With that log configuration, you should see Shiro log events very request. I’d
suggest turning up that last one “ThreadContext” to at least debug as well.
You can try to turn them up to “trace” as well.
I’d suggest taking a step back and changing one thing at a time (this is still
my go to
Oh, a GWT app.
My suggestion would be to turn up logging on both sides. I'm assuming that
InvocationException has a cause. You set `org.apache.shiro` log level to
DEBUG or TRACE, and you should be able to get more info.
On Tue, May 25, 2021 at 3:04 PM alina.frey wrote:
> I tried to pinpoint
Release notes: https://shiro.apache.org/news.html (includes links to
release notes)
Diffs:
https://github.com/apache/shiro/compare/shiro-root-1.2.6..shiro-root-1.3.2
Follow-ups:
What is the error message that displays on your login page?
What else changed in your application?
Do you have a
Alex Orlov wrote:
> Yes, you are right. But what about the question — is it correct to use
> subject login/logout in IT tests?
> Not subject mock, but a real subject with real realm work?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Пятница, 21 мая 2
t; thread.»? I am saying that after calling
> subject.login() subject is bound to thread and after subject.logout()
> subject is unbound from thread.
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 20 мая 2021, 22:52 +03:00 от Brian Demers >:
>
> lo
login and out do not bind the user to the thread. Typically I use the
ThreadContext directly when I need to do anything with threading
For example, mock a subject, and bind it to the thread:
Responses inline:
On Wed, May 19, 2021 at 5:31 PM alina.frey wrote:
> 1. Anything in your logs?
> If you are referring to Shiro logs, I don't know where they are recorded.
> If you are referring to logs capture by my application, I do not see any of
> the errors taht would be thrown by the
Anything in your logs?
What happens when the user isn't able to login? Are they redirected back to
the login page?
Is your browser rejecting the cookie? (or is it sent back the the server on
the next request?)
On Wed, May 19, 2021 at 12:04 PM alina.frey wrote:
> I will try to replace Shiro
Shiro's Servlet Filter has a SecurityManager instance, which is configured
from your INI file. Shiro also supports a "static" security manager for
dealing with requests in your application that are NOT bound to a request
thread (queues, thread pools, scheduled tasks, etc). Setting the "static"
ly working setup as far as I
> can tell.
>
> Thanks,
> Dave
>
> On 4/8/2021 1:41 PM, Brian Demers wrote:
> > Hi David!
> >
> > Can you try making sure session rewriting is disabled:
> >
> > securityManager.sessionManager.sessionIdUrlRewritingEnabled
>
Hi David!
Can you try making sure session rewriting is disabled:
securityManager.sessionManager.sessionIdUrlRewritingEnabled
https://github.com/apache/shiro/blob/a85dfcd8629294cd1c6bc3cdd34cbebb94e09662/samples/servlet-plugin/src/main/webapp/WEB-INF/shiro.ini#L29
This could also be happing
No worries! If you figure it out let us know what it was. Someone else
might stumble on the same problem, or it could lead us to improve something
;)
On Mon, Dec 21, 2020 at 3:08 PM ry99 wrote:
> Well, I'm feeling a little sheepish now, because as I was trying to make a
> minimally viable
Can you create a simple sample project and stick it on GitHub? That might
help us narrow down what is going on.
On Sun, Dec 20, 2020 at 8:01 AM ry99 wrote:
> Hi Folks,
> I'm trying to use Shiro to protect a REST-based web service. I'm using
> Spring 5.3.2 and Shiro 1.7.0, and following the
Are you using a mock framework like Mockito or EasyMock? Here is an example
that uses EasyMock (and still sets up the thread context):
https://github.com/apache/shiro/blob/master/core/src/test/java/org/apache/shiro/test/ExampleShiroUnitTest.java
On Sat, Dec 5, 2020 at 8:12 AM Alex Orlov wrote:
.html#programmatic-configuration
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Вторник, 24 ноября 2020, 1:55 +03:00 от Brian Demers <
> brian.dem...@gmail.com>:
>
> Correct,
>
> Most of the time these methods would be transparently called via (Shiro's
> INI fea
> to init Realm → LifecycleUtils.init(realm);
> to destroy SecurityManager → LifecycleUtils.destroy(securityManager);
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Суббота, 21 ноября 2020, 19:12 +03:00 от Brian Demers <
> brian.dem...@gmail.com>:
>
> Shiro
Have you tried without setting those scopes?
I would guess setting those scope _shouldn't_ matter, as the default should
be a Singleton.
If that doesn't help can you create a simple project that reproduces the
problem on GitHub?
On Sat, Nov 21, 2020 at 5:38 PM Alex Orlov wrote:
> Hello all,
>
Shiro has "lifecycle" methods that can be plugged into a DI container. If
you are not using a Shiro integration, you can just need to call the
`onInit` method directly.
On Sat, Nov 21, 2020 at 6:11 AM Alex Orlov wrote:
> Hello all,
>
> I have two security managers — web and default. When shiro
IIRC you _should_ be able to use the same SecurityManager for web and
non-web requests.
However, two different SecurityManager's with the same Realm may cause
issues, especially if they are using caches.
We have a Spring RMI example here:
I think we are going to need a little more info. What how are you
deploying your application? as the WAR/EAR changed between deployments, if
so what has changed? Have you diffed the contents?
Is the `shiro-web` jar on your classpath? If not how was it getting loaded
in with your previous
do subject.login(...) I don’t
> manually bind
> subject to thread. And I want to understand how to unbind thread after
> subject.login().
> Or I understand something wrong?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Пятница, 20 ноября 2020, 18:48 +03:00 от Brian
What type of application are you building? For web applications Shiro can
handle the Login (collecting of the username/password) and the thread
binding for you, so you don't actually need to do that. (this all happens
with the ShiroFilter, and associated chain)
That said, if you do not want to
Yes, they are, but that concern is up to the implementation of the
cache/session impl. So if you have a custom implementation you will need to
ensure that code is also thread safe.
On Mon, Nov 9, 2020 at 4:46 PM Alex Orlov wrote:
> Hi all,
>
> As I understand Shiro must be thread-safe.
Hey Alex,
Sorry about giving you wrong info before, I forgot about that method.
1.) From the API point of view the SessionDAO is an implementation detail,
and getting access to those details would require some casting.
They are not part of the main API because not all SessionManagers would use
This isn't something Shiro covers directly, but it possible with a little
custom code
You could write a custom SessionDAO, or you could use an existing one, and
just access the data store to query what you need. For example, if you used
a DB, you could just query the DB. It should be similar with
A quick update,
First, the Apache Shiro team wants to thank qianji @ OPPO ZIWU Cyber
Security Lab for reporting the issue responsibly [0]
Second, if you are NOT using Shiro’s Spring Boot Starter
(`shiro-spring-boot-web-starter`), you must configure add the
ShiroRequestMappingConfig auto
so Principal is an actor. However, as
> Shiro supports different security types, Shiro uses Principal as an actor’s
> identifying attribute for generic approach.
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers :
>
> The SO answer looks
The SO answer looks pretty good to me, but it's pretty high level.
You also need to take into account how they are used in context and naming
conventions (e.g. Java has `java.security.principal`)
A principal could be any object, it's commonly a String, i.e. a username or
email address. These may
Probably, but I'd strongly recommend updating Shiro. There have been a few
security fixes since that release.
On Thu, Oct 29, 2020 at 12:34 PM Indrajit57
wrote:
> Hello,
>
>We are using Shiro V1.2.2 in our application. We are thinking of
> updating
> Java to 1.8. Will Shiro V1.2.2
>work
Thanks!
On Tue, Sep 15, 2020 at 3:26 PM mbaron wrote:
> I do have have "shiro-servlet-plugin" in my Maven dependencies, so this
> makes
> sense. Thanks for the clarification.
>
> P.S. Recently I was looking for a Java security framework and stumbled upon
> Shiro. I think it's brilliant. It's
Yup, this is expected if you are using the `shiro-servlet-plugin`, This
module contains a web.xml fragment that is loaded automatically from your
classpath.
If you need more control you can use the `shiro-web` module directly and
configure your web.xml (or equivalent) configuration.
The
The Shiro team is pleased to announce the release of Apache Shiro version
1.6.0.
This security release contains 5 fixes since the 1.5.3 release [1] and is
available for Download now [2].
CVE-2020-13933:
Apache Shiro before 1.6.0, when using Apache Shiro,
a specially crafted HTTP
Hi,
Looks like its a bug, and our test case missed it.
I made a quick pull request to fix the issue if you want to try it out.
https://github.com/apache/shiro/pull/244
Keep us posted!
On Tue, Jul 7, 2020 at 8:01 PM 一直以来 <279377...@qq.com> wrote:
> hi brian demers:
>
> i open
Can you include the full error message and stack trace?
What does your code look like?
On Tue, Jul 7, 2020 at 5:19 AM 一直以来 <279377...@qq.com> wrote:
> 2020-07-07 17:06:56,149 ERROR
> [org.springframework.web.context.ContextLoader] - Context initialization
> failed
>
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic
controllers, a specially crafted request may cause an authentication bypass.
This issue was independently discovered by two different researchers:
* Ruilin Yang of Tencent Security Xuanwu Lab
* 淚笑 (leixiao)
Okay, I see.
Shiro doesn't provide an API for this. You would need to handle this
additional query separately. You shouldn't need additional dependencies
though, you can use javax.naming.ldap API directly.
Does that help?
-Brian
On Wed, Jun 10, 2020 at 8:23 AM braus wrote:
> Hi Brian,
>
>
Not all realm implementations are able to determine if an account exists or
not. For example, most remote user stores would return the same result if
a user does not exist or the password was incorrect.
And you may not want to propagate that type of exception to your end-users
(to avoid leaking
One user reported being able to use the `shiro-all` jar with JPMS.
On Thu, Jun 4, 2020 at 6:52 AM sreenivas harshith
wrote:
>
> Hi francois,
>
> Even with out module-info.java file older jars should work fine with Java
> 9 automatic Module resolution strategy to maintain compatibility with
>
Thanks!
On Wed, May 13, 2020 at 8:53 AM Alex Sviridov wrote:
> Here it is — https://issues.apache.org/jira/browse/SHIRO-778
>
> Best regards, Alex
>
gt; at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegati
Thu, 7 May 2020, 04:13 Francois Papon,
> wrote:
>
>> +1
>>
>> Françoisfpa...@apache.org
>>
>> Le 07/05/2020 à 00:28, Brian Demers a écrit :
>>
>> I'd love to see the `shiro-all` module go away as part of 2.0, anyone
>> have any objections?
>&
; If people can’t use your modules, please, make their lives easier.
>
> Best regards, Alex
>
>
> Четверг, 7 мая 2020, 1:25 +03:00 от Brian Demers :
>
> Hi Alex,
>
>
> 1-3.)
> Do you also have the Shiro Servlet Filter configured?
>
> 4.) We don't currently gene
I'd love to see the `shiro-all` module go away as part of 2.0, anyone have
any objections?
On Mon, May 4, 2020 at 4:32 AM sreenivas harshith
wrote:
> Some libs were broken from java 9 and above due to java 9 module system
> and JDK internal APIs restrictions. Just wanted to check if shiro
uthenticationInfo(new UserEntity(), null ,
> getName());
> }
>
> }
>
>
> 4) I tried to use shiro-core + shiro-web, but it seems to be impossible to
> use
> shiro modules in jpms environment, so, I had to take shiro-all.
>
> 5) By the way, I couldn’t find javado
It depends, we would need to see the full stack trace, it's unclear what is
setting up your environment. How are you configuring Shiro?
Also, I'd recommend against using the `shiro-all` and instead use
`shiro-web`
On Tue, May 5, 2020 at 7:01 PM Alex Sviridov wrote:
> Hi all,
>
> I am just
rer
> tokens anyway. Didn't mention this, though. Sorry.
>
> Am Mo., 6. Apr. 2020 um 16:40 Uhr schrieb Brian Demers <
> brian.dem...@gmail.com>:
>
>> Personally I don't think Shiro should implement an Authorization Server,
>> I think there is room for another project to im
Armadno,
I'm saying you could get access to a set of common data for a given user,
which is fine for many apps, but it doesn't replace an
application-specific user store for other use cases (for example complex
user preferences).
Shiro could make it easier to associate arbitrary attributes (or a
xpiryTime;
> *private* String scope;
>
> @JsonProperty("token_type")
> *private* *static* String *TOKEN_TYPE* = "bearer";
>
> @JsonProperty("expires_in")
> *public* Long expiresIn() {
> *return* Duration. *between*(Instant. *now*(), expiryTime).getSecond
nanthrax.net>:
>>
>>> Yeah, it seems to be the same indeed.
>>>
>>> Regards
>>> JB
>>>
>>> > Le 5 avr. 2020 à 13:38, Francois Papon
>>> a écrit :
>>> >
>>> > I found this one:
>>> >
>>> &
2020 à 13:38, Francois Papon
>> a écrit :
>> >
>> > I found this one:
>> >
>> >
>> https://cwiki.apache.org/confluence/display/SHIRO/Version+2+Brainstorming
>> >
>> > It seems to be the same :)
>> >
>> &
Great point, often a realm would have access to this information from the
same query when authenticating.
Shiro wouldn't be able to replace a general user details store, but we
should think about making it easier to expose it out of the box (without
implementing a custom realm and principal type)
nting this sort of thing quite a bit
>> ourselves lately, we are no experts but there surely is a need not to
>> reinvent the wheel every time
>>> On 05 April 2020 at 12:32 Brian Demers wrote:
>>>
>>> This one?
>>>
>>> https://github
This one?
https://github.com/apache/shiro-site/blob/master/version-2-brainstorming.md
-Brian
> On Apr 4, 2020, at 8:28 PM, Les Hazlewood wrote:
>
>
> I wrote a whole wiki page on 2.0 design changes, but I can't find it now 樂
>
>> On Sat, Apr 4, 2020, 5:17 PM Brian
+1
Off the top of my head we have (I'm sure there is more, but ):
* Package name / artifact structure cleanup (breaking change, but minor
impact)
* Remove CAS modules
* Replace deprecated code (or move to an implementation/private package,
for anything still needed)
* Support
>
> If the public API permits it, it would be better to first go
> realm-by-realm, then go for each permission which is not yet set to
> true.
>
Agreed!
>
> Btw, the shiro code could use some comments. I wasn't aware that a
> boolean[] is automatically OR'ed.
>
> Do we have an issue for this? =>
+1
It does look like there is some optimization we could do here. Even when
there is multiple realms, we could check only the "failed" permissions on
each subsequent realm.
Same for `isPermittedAll` and any of the role or permission checks that
take an array/collection.
Thoughts?
On Tue,
Correction,
The first line should have read:
> The Shiro team is pleased to announce the release of Apache Shiro version
1.5.2.
Sorry for the cut/paste error
- Brian
On Mon, Mar 23, 2020 at 2:13 PM Brian Demers wrote:
> The Shiro team is pleased to announce the release of Apache Shiro v
Correction,
The first line should have read:
> The Shiro team is pleased to announce the release of Apache Shiro version
1.5.2.
Sorry for the cut/paste error
- Brian
On Mon, Mar 23, 2020 at 2:13 PM Brian Demers wrote:
> The Shiro team is pleased to announce the release of Apache Shiro v
The Shiro team is pleased to announce the release of Apache Shiro version
1.4.2.
This security release contains 3 fixes since the 1.5.1 release and is
available for Download now [1].
CVE-2020-1957:
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic
controllers,
a
management, how could I configure the default properties for the majorities
> of the cookies? From
>
> https://shiro.apache.org/web.html#Web-%7B%7BDefaultWebSessionManager%7D%7D
>
>
> I deduced to:
>
> securityManager.sessionManager.cookie.maxAge
> securityManager.
Do you have a stack trace? Is your servlet accessing the session? Do you
have a snippet of how your servlet is doing the forwarding?
On Wed, Mar 4, 2020 at 5:13 AM armandoxxx wrote:
> I have even tried configuration for jsp page ... not luck
>
>
>
> Any help appreciated
>
>
>
> --
> Sent
uthentication. From
> that use case, I'm having issues with the first phase. Hence, I don't see
> any point trying to get an authentication realm (JDBC,
> ActiveDirecotory and/or LDAP) working which I'm more familiar with than
> coding for valid Java sessions unfortunately.
>
>
ID issue still persists:
>
> Request -> access log Filter -> security Filter (block or get valid
> session) -> other filters -> mapped servlet (use session)
>
> The session ID is regenerated for subsequent page loads :(
>
> Thanks,
> Tommy
>
>
>
>
fault values
> Load listeners
> Map static files path (CSS, JS, images) to the default servlet
> Load the servlets
> Load the Shiro Filter first
> Load other filters
> Configure Thymeleaf
> Thanks,
> Tommy
>
>
>> On Mon, Mar 2, 2020 at 5:52 PM Brian Demers wrot
;>> 02-Mar-2020 01:30:37.708 INFO [Catalina-utility-2]
>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
>>> application archive [D:\apache-tomcat\webapps\erm.war] has finished in
>>> [9,120] ms
>>> 02-Mar-2020 01:30:41.838 INFO [h
urityUtils.java:56)
>>>>
>>>> com.sointe.security.FilterSecurity.validateSession(FilterSecurity.java:225)
>>>> com.sointe.security.FilterSecurity.doFilter(FilterSecurity.java:149)
>>>> com.sointe.web.AppFilterChain.doFilter(AppFilterChain.j
Are you creating a new security manager for each request?
I’m not sure how you are using this logic, but you should let Shiro do all of
this for you (via the ShiroFilter).
-Brian
> On Mar 1, 2020, at 2:43 PM, tommyhp2 wrote:
>
> Hi Brian,
>
> Thanks for the prompt feedback. Here's the
Looks like the code was filtered out of the message? Can you try again or link
to a gist?
-Brian
> On Mar 1, 2020, at 12:27 PM, tommyhp2 wrote:
>
> Hello everyone,
>
> I have a simple setup of Shiro. I have both Listener and Filter setup per
> manual
1 - 100 of 415 matches
Mail list logo
