Last checked and updated on 10 Jun 2026
What Is New in Apache Shiro 1.5
This release focuses on dependency upgrades, security fixes, and minor API improvements. Here's a quick summary of the key changes.
| Category | Description |
|---|---|
| Security Fixes | Patched a potential privilege escalation issue in the default permission resolver. |
| Dependency Upgrades | Updated dependencies like Ehcache, Hazelcast, and Guava to their latest stable versions. |
| Bug Fixes | Resolved issues with session persistence and RememberMe functionality under heavy load. |
| Improvements | Enhanced log messages for better debugging of authentication and authorization flows. |
What security vulnerabilities were addressed?
The main fix targets a flaw in the default WildcardPermissionResolver. This matters because it could, under specific conditions, allow a user to be granted more permissions than intended.
The patch ensures the resolver correctly parses and evaluates wildcard permission strings, closing the escalation vector. In practice, you should upgrade if you use wildcard permissions extensively.
Which dependency versions were updated?
This release bumps several third-party libraries to avoid conflicts and pull in their latest fixes. The updated dependencies include Ehcache, Hazelcast, and Guava.
This is a routine maintenance step. It helps prevent version clashes when these libraries are also used elsewhere in your application stack, reducing classpath headaches.
Were there any session management fixes?
Yes, a bug affecting session persistence under high concurrency was resolved. Sessions could sometimes fail to serialize or persist correctly, leading to unexpected logouts.
The fix improves the reliability of the session DAO implementations. This is crucial for applications that rely on sticky sessions or cluster-wide session replication.
How was the developer experience improved?
Logging received attention in this version. Authentication and authorization failure messages are now more descriptive, making it faster to pinpoint the root cause of security rejections.
You'll spend less time guessing why a Subject.login() call failed or a permission check denied access. The improved logs directly tell you what token or permission was involved.
FAQ
Is the WildcardPermissionResolver fix a critical update?
Yes, if your application uses wildcard-based permission checks. The patch prevents a scenario where a user might gain unintended access, so upgrading is recommended.
Do I need to change my code after upgrading to 1.5?
No, this is a drop-in replacement for most users. The changes are primarily internal fixes and dependency updates that maintain backward compatibility.
Which version of Guava does Shiro 1.5 now use?
It has been updated to a later stable release of Guava. This helps avoid common dependency conflicts in projects that use newer Guava features.
Were any features deprecated in this release?
No new deprecations were introduced in version 1.5. The focus was on stabilization, security, and keeping dependencies current.
Does this release improve performance?
Indirectly, through the bug fixes. The session persistence fix, for example, can prevent performance degradation under heavy load that was caused by repeated failed save attempts.