Last checked and updated on 09 Jun 2026
What Is New in Apache Shiro 1.0
Apache Shiro 1.0 is the project's first official stable release, marking its transition from a legacy codebase (formerly JSecurity) into a mature, top-level Apache project. This version establishes the core API that would define the framework for years to come.
| Category | Description |
|---|---|
| Project Status | First official stable release as an Apache Top-Level Project (TLP) |
| Core Foundation | Establishes the definitive Shiro API for authentication, authorization, and session management |
| Packaging | Initial release of the core shiro-core module |
Why is Apache Shiro 1.0 a major milestone?
This release is significant because it represents the project's graduation from the Apache Incubator. The 1.0 designation signals API stability and production readiness, giving developers confidence to build on it. In practice, this meant the core concepts like Subject, SecurityManager, and Realm were now solidified.
The move from the old JSecurity name and package structure to Apache Shiro was a huge step for community adoption. It wasn't just a rename; it was a full migration into the Apache ecosystem, which improved development processes and user support.
What core security features does Shiro 1.0 provide?
Shiro 1.0 delivers a complete Java security framework centered around four key areas. The API simplifies complex security operations that were traditionally cumbersome in Java EE.
Authentication
It provides a clean API for user login, supporting multiple data sources through the Realm concept. You could easily plug in LDAP, JDBC, or custom realms without the container dependencies you'd have with JAAS.
Authorization
The framework offers both role-based and permission-based access control. The permission syntax was intuitive, using wildcard patterns like printer:query:lp7200 for fine-grained control.
Session Management
Shiro provided its own session management that worked in any environment, including standalone applications and web apps. This was a big deal because it abstracted away the HTTP-only session limitations.
Cryptography
Simple abstractions for hashing and encryption were included out of the box. The CredentialsMatcher system made password comparison secure and customizable.
How does the packaging work in this initial release?
The 1.0 release focused on delivering a stable core module. This was a deliberate design choice to keep the foundation rock-solid before adding more specialized components in future versions.
The shiro-core module contained all the essential classes needed for most security operations. You could add it to any Java project with minimal dependencies, which made adoption straightforward compared to heavier alternatives.
FAQ
Is Apache Shiro 1.0 compatible with the old JSecurity codebase?
No, this release involved package name changes from JSecurity to Apache Shiro. You would need to update imports and configuration files when migrating from the legacy JSecurity project.
Does Shiro 1.0 require a Java EE container?
No, one of Shiro's main advantages is that it works in any environment - web applications, standalone Java apps, and even simple command-line tools without any container dependencies.
What are the minimum requirements to run Shiro 1.0?
It requires Java 5 or higher and has minimal dependencies, making it easy to integrate into existing projects without dependency conflicts.
Can I use Shiro 1.0 for web application security?
Yes, but you would need to configure the Shiro filter in your web.xml manually. The dedicated web module with easier setup came in later releases.
How does Shiro 1.0 handle password hashing?
It provides built-in support for hashing with salts through its HashService and CredentialsMatcher interfaces, making secure password storage much easier to implement correctly.