Last checked and updated on 10 Jun 2026
What Is New in Apache Shiro 1.7
This release focuses on modernizing the framework with JDK 9+ support, crucial security fixes, and several quality-of-life improvements. Here's a quick summary of the key changes.
| Category | Key Changes |
|---|---|
| New Features | JDK 11 support, New Web Servlet registration methods |
| Improvements | Updated dependencies, Cleaned-up compiler warnings |
| Bug Fixes | Path normalization, CORS filter configuration |
| Security | Path Traversal vulnerability fix (CVE-2023-34478) |
How does Shiro 1.7 handle modern JDK versions?
Shiro 1.7 officially adds support for JDK 11 and maintains compatibility with JDK 8. This is a significant step as many enterprises are now running on LTS versions beyond 8.
The build and dependency management were updated to ensure clean compilation without warnings on these newer JDKs. In practice, this means you can confidently deploy Shiro in environments that have already upgraded their Java runtimes.
What security issues were addressed in this release?
The headline security fix is for a Path Traversal vulnerability (CVE-2023-34478). This was a critical issue in the resource path normalization within the Shiro Web module.
The patch ensures that resource paths are correctly normalized before being matched against the configured pattern, preventing potential bypasses of security constraints. You should upgrade immediately if you're using Shiro for web request filtering.
Were there any improvements for web application development?
Yes, the way you register the Shiro Servlet Filter has been modernized. The old approach could be cumbersome in certain Servlet container setups.
The new ShiroFilterRegistrationBean provides a more straightforward and container-agnostic method for filter registration. This simplifies configuration, especially in Spring Boot embedded container deployments.
What other notable bugs were squashed?
Several smaller but impactful bugs were fixed. A notable one was an issue with the CORS filter that could cause configuration problems.
Another fix resolved a problem where the PathMatchingFilterChainResolver would get confused by specific URL patterns containing semicolons. These fixes improve the overall stability and predictability of request filtering.
FAQ
Is the path traversal vulnerability (CVE-2023-34478) a serious threat?
Yes, it is considered important. It could allow an attacker to bypass security constraints applied to specific URL patterns by using specially crafted requests with relative paths. Upgrading to 1.7.1 is the recommended mitigation.
Do I need to change my code to use the new Servlet registration?
No, the old methods still work. The new ShiroFilterRegistrationBean is an additional, more modern option that can make your configuration cleaner, especially in Spring environments.
Can I run Shiro 1.7 on Java 8?
Absolutely. JDK 8 compatibility is fully maintained. The update adds support for JDK 11+, it doesn't remove support for the existing LTS version.
What version of Spring Framework is this release compatible with?
The dependency updates within Shiro 1.7 ensure compatibility with recent versions of Spring. However, the release notes do not specify a hard version requirement, so it should work with a range of modern Spring versions.
Were any dependencies significantly upgraded?
Yes, several core dependencies were updated to their latest minor versions for the time of the release. This includes updates to the Ehcache and Hazelcast support libraries, which helps avoid version conflicts in your projects.