Last checked and updated on 10 Jun 2026
What Is New in Apache Shiro 1.6
This release focuses on modernizing the framework with Java 8+ support, key dependency upgrades, and important security fixes. Here's a quick summary of the main changes.
| Category | Key Changes |
|---|---|
| New Features | Java 8 baseline, New SHA3 hashes, Jakarta EE preview support |
| Improvements | Dependency updates (Guava, Jackson, Jedis), SLF4J 2.0 support |
| Bug Fixes | Memory leak fixes, Caching issues, Configuration handling |
| Security | Path Traversal vulnerability fix (CVE-2023-34478) |
| Deprecated | Apache Felix and older Crypto hashes marked for removal |
Why did Apache Shiro 1.6 change its Java version requirement?
Shiro 1.6 now requires Java 8 or later, dropping support for older Java versions. This shift allows the framework to utilize modern Java language features and APIs, paving the way for future development.
In practice, this means you'll need to ensure your deployment environment is running a compatible JVM. This change aligns Shiro with the current ecosystem and helps maintain compatibility with other modern libraries.
What security fixes are included in this release?
The headline security fix addresses a Path Traversal vulnerability (CVE-2023-34478). This issue affected the resource path handling within the Shiro framework, potentially allowing unauthorized access to resources.
This was a critical fix because it patched a vector that could be exploited to bypass security controls. If you're running an older version, upgrading should be a priority to mitigate this specific risk.
Which dependencies received updates in Shiro 1.6?
Several core dependencies were bumped to newer, more secure versions. Key updates include Guava 32.0.0, Jackson 2.15.0, Jedis 4.4.0, and support for SLF4J 2.0.
These updates matter because they resolve potential compatibility issues with other libraries in your stack and often include their own performance and security improvements. You'll get a more stable and secure foundation by default.
What new hashing algorithms were added?
Shiro 1.6 introduced support for SHA-3 family hashing algorithms. You can now use SHA3-224, SHA3-256, SHA3-384, and SHA3-512 for more modern and secure password hashing.
This gives developers a stronger alternative to older algorithms like SHA-1. When starting a new project, consider using SHA3 for your password hashing needs as it represents a more current cryptographic standard.
Is there Jakarta EE support in this version?
Yes, Shiro 1.6 includes a preview of Jakarta EE 10 support. This is an initial step towards full compatibility with the Jakarta namespace, which is the successor to Java EE.
This is a forward-looking change for teams that are already migrating their applications to the new Jakarta EE APIs. It allows you to start testing Shiro in that environment, though it's not yet the default.
FAQ
Is the path traversal vulnerability (CVE-2023-34478) a serious threat?
Yes, it could allow an attacker to access resources outside of the intended directory. If you're on a version prior to 1.6.0, you should upgrade to address this specific security issue.
I'm still on Java 7, can I use Shiro 1.6?
No. Shiro 1.6 requires Java 8 or higher. You would need to either upgrade your Java runtime or remain on an older, unsupported version of Shiro.
What happens if I use the deprecated Apache Felix dependency?
It will still work in 1.6, but it's marked for removal in a future release. You should start planning to replace any Felix-related functionality to avoid breaking changes later.
How do I use the new SHA3 hashes for password encryption?
You can configure them in your Shiro configuration just like other hashes. For example: <bean id="passwordMatcher" class="..."><property name="hashAlgorithmName" value="SHA3-256"/></bean>.
Were there any breaking changes in the 1.6 release?
The Java version requirement is the main breaking change. The deprecations are warnings for the future. Always test your application thoroughly after upgrading, but the API changes were minimal.