Last checked and updated on 10 Jun 2026
What Is New in Apache Shiro 1.13
This release focuses on dependency upgrades, security fixes, and a few API improvements to keep the framework stable and compatible with modern Java environments.
| Category | Key Changes |
|---|---|
| Security Updates | Addresses a potential authorization bypass in the WildcardPermission string parser. |
| Dependency Upgrades | Updates for Guava, Jackson, and various testing libraries (JUnit, Mockito). |
| Bug Fixes | Fixes for session handling and configuration loading. |
| New Features / Improvements | Added a SessionDAO implementation for Apache Ignite and a new ThreadContext method. |
What security issue was fixed in the permission parser?
The main security fix resolves an authorization bypass in the WildcardPermission string parsing logic. The previous parser could incorrectly evaluate certain permission strings, potentially granting access where it should be denied. This is a core fix for Shiro's authorization checks.
In practice, you should update if your application uses Shiro's WildcardPermission for granular access control. The fix ensures the logical operators in permission strings are evaluated correctly every time.
Which dependencies got upgraded and why does it matter?
Shiro 1.13 bumps versions for several key libraries. Guava is updated to address older CVEs. Jackson is upgraded for better compatibility and performance. Testing libraries like JUnit and Mockito are also updated.
These upgrades reduce warnings and potential conflicts when integrating Shiro into projects that already use newer versions of these common libraries. It keeps your build clean and secure without forcing downgrades.
Are there any new storage options for sessions?
Yes, this release introduces an official SessionDAO implementation for Apache Ignite. If your architecture uses Ignite as a distributed data grid, you can now use it as a clustered session store for Shiro web sessions.
This provides another proven option for scaling session state across multiple application instances, which is a common need in microservices and high-availability deployments.
What improvements were made to ThreadContext?
A new static method, ThreadContext.remove(), was added. This provides a cleaner, more intuitive way to clear all state (like subject and security data) bound to the current thread.
Before, you might have called ThreadContext.clear() or manually removed keys. This method offers a straightforward alternative that's easier to read and maintain in your code.
FAQ
Is the WildcardPermission fix a critical update?
Yes, if you use wildcard permissions for authorization. The fix prevents a logic flaw that could incorrectly allow access. Review your permission strings and test after upgrading.
Do I need to change my code for the new ThreadContext.remove() method?
No, it's additive. Your existing ThreadContext.clear() calls will still work. The new method is just a convenience alias.
Will updating Shiro break my existing dependencies like Guava?
It shouldn't. The upgrades are to common, later versions. If your project already uses a newer Guava, Shiro now aligns with it, reducing conflict risk.
How do I use the new Apache Ignite SessionDAO?
Configure it in your Shiro sessionManager settings. You'll need the Ignite libraries on your classpath. Check the Shiro documentation or the module's source for configuration examples.
Are there any breaking API changes in 1.13?
No major breaks are highlighted. The release focuses on fixes, security, and compatibility. As always, test your application after upgrading any library.