Last checked and updated on 13 Jun 2026
What Is New in Apache Shiro 1.2
This release delivers crucial security patches, significant internal refactoring, and a host of new features that make Shiro more robust and developer-friendly.
| Category | Key Changes |
|---|---|
| Security | Critical fix for CVE-2012-4437, preventing potential privilege escalation. |
| New Features | Added ConcurrentSessionController, enhanced RunAs functionality, new Ant-style path matching. |
| Improvements | Massive internal refactoring, better exception hierarchy, upgraded dependencies. |
| Bug Fixes | Resolved issues with RememberMe, Session management, and LDAP support. |
What security vulnerabilities were addressed?
The headline fix is for CVE-2012-4437. This was a critical vulnerability where a malicious user could potentially bypass permission checks by forging a specially crafted request. The fix ensures the permission resolution process is airtight.
In practice, this was a serious issue because it could lead to unauthorized access. Upgrading to 1.2.0 is non-negotiable if you're on an older version to close this security hole immediately.
What new features should I start using?
This release introduced the ConcurrentSessionController, a new interface for controlling concurrent logins. You can now implement custom logic to handle scenarios like limiting one session per user.
The RunAs functionality was also enhanced, making it easier for code to temporarily execute with a different identity. Another great addition is the new Ant-style path matcher, which provides more flexibility when defining URL patterns in your security filters compared to the traditional regex approach.
How has the internal architecture improved?
The team undertook a massive internal refactoring effort. This cleaned up the core architecture, making the codebase more modular and easier to maintain long-term. For us developers, this means a more stable foundation and fewer hidden bugs.
They also reworked the exception hierarchy. You'll now find more specific and informative exception types, which makes debugging authentication and authorization failures much simpler. Dependencies like Ehcache and Quartz were also updated to their latest stable versions.
Were there any notable bug fixes?
Absolutely. Several persistent issues were squashed. The RememberMe functionality received fixes to make it more reliable. Session management, particularly with regards to validation and expiration, was improved.
LDAP support saw important fixes that resolved connection and authentication problems some users encountered. These fixes make Shiro more dependable in enterprise environments relying on directory services.
FAQ
Is the CVE-2012-4437 fix backward compatible?
Yes, the fix is fully backward compatible. It patches the security hole without changing any public APIs, so your existing code should work exactly the same, just more securely.
How do I implement the new ConcurrentSessionController?
You need to implement the new interface and then configure it in your Shiro security configuration. The release doesn't provide a default implementation out-of-the-box, so you have to build your own session control logic.
Does the Ant-style path matcher replace the old regex matcher?
No, it's an additional option. You can choose to use either the traditional regex-based path matching or the new Ant-style matcher based on your preference and project requirements.
Were any dependencies removed in this release?
No major dependencies were removed. The focus was on upgrading existing ones (like Ehcache and Quartz) to newer, stable versions to benefit from their fixes and improvements.
Should I be concerned about the massive refactoring?
Not at all. The refactoring was largely internal. The public APIs remained stable, so your application code shouldn't break. The changes result in a cleaner, more maintainable codebase which is better for everyone in the long run.