Apache Shiro 1.3: What's New, Release History & Support Lifecycle

Q: What was the exact RememberMe bug that was fixed?

The AbstractRememberMeManager was ignoring the globally configured session timeout. It now correctly uses the globalSessionTimeout value from your session manager, making session persistence behavior consistent and predictable.

Latest in branch 1.3

1.3.2

Released 09 Sep 2016
(9 years ago)

Software	Apache Shiro
Version	1.3
Requirement	Java 6+
Initial release	1.3.0 22 Jul 2016 (9 years ago)
Latest release	1.3.2 09 Sep 2016 (9 years ago)
Support status	No
Source code	https://github.com/apache/shiro/tree/shiro-root-1.3.2
Documentation	https://javadoc.io/doc/org.apache.shiro/shiro-core/1.3.2/index.html
Download	https://mvnrepository.com/artifact/org.apache.shiro/shiro-core/1.3.2
Apache Shiro 1.3 Releases	View full list

What Is New in Apache Shiro 1.3

This release focuses on dependency upgrades and key bug fixes to improve stability. Here's a quick summary of the changes.

Category	Description
Dependency Upgrades	Updated dependencies like Ehcache and Spring to newer, compatible versions.
Bug Fixes	Resolved issues with RememberMe services and session timeouts.
Documentation	Minor fixes and clarifications in the reference documentation.

What dependencies were upgraded in Shiro 1.3?

The core of this release is updating third-party libraries to prevent conflicts in modern applications. We moved Ehcache to 2.10.6 and Spring to 4.3.20.RELEASE.

In practice, this means your project is less likely to run into version clashes if you're using these libraries elsewhere. The updates are backward compatible, so you shouldn't see any breaking changes from Shiro's side.

Were there any critical bug fixes?

Yes, a notable fix was for the RememberMe functionality. There was a bug where the RememberMe service wasn't correctly using the global session timeout setting, falling back to a default instead.

This matters because it could lead to unexpectedly short or long-lived RememberMe sessions for users. The fix ensures the configured globalSessionTimeout value is now properly respected.

Is there anything deprecated I should know about?

This particular point release doesn't introduce new deprecations. It's primarily a maintenance update focused on stability and compatibility.

Always check the official documentation for the latest on deprecated features, but for 1.3.2, you're clear to upgrade without rewriting code for deprecated APIs.

FAQ

Is upgrading to Shiro 1.3.2 a breaking change?
No, it's a minor patch release. The changes are backward compatible, focusing on dependency updates and bug fixes. Your existing configuration and code should work without modification.

Why did the Ehcache upgrade matter?
Using an older Ehcache version could cause conflicts if another part of your application requires a newer one. This upgrade aligns Shiro with a more commonly used version, reducing dependency hell.

What was the exact RememberMe bug that was fixed?
The AbstractRememberMeManager was ignoring the globally configured session timeout. It now correctly uses the globalSessionTimeout value from your session manager, making session persistence behavior consistent and predictable.

Does this release contain any new security vulnerabilities?
No, this release does not introduce any new security vulnerabilities. It is a safe upgrade that includes routine maintenance.

Where can I see the full list of changes?
The complete change list is available in the official release notes on GitHub. It includes all commit messages and issue references.

Releases In Branch 1.3

Version	Release date
1.3.2	09 Sep 2016 (9 years ago)
1.3.1	19 Aug 2016 (9 years ago)
1.3.0	22 Jul 2016 (9 years ago)