Last checked and updated on 12 Jun 2026
What Is New in Apache Shiro 1.9
This release focuses on modernizing the framework with key dependency updates and introducing new capabilities for cleaner session management. It's a solid step forward for maintaining compatibility with newer Java ecosystems.
| Category | Key Changes |
|---|---|
| New Features | New Session DAO for Hazelcast, Optional Session Creation filter |
| Improvements | Upgraded dependencies (Guava, Jackson, Jedis, Eclipse Jetty, JUnit 5) |
| Bug Fixes | Resolved issues with RememberMe, CORS, and Web Servlet |
| Deprecations | Deprecated AbstractRememberMeManager serialization methods |
How did dependency upgrades improve Shiro 1.9?
The core of this release is updating critical library dependencies to their latest major versions. This ensures Shiro remains compatible with modern applications and avoids version conflicts in your project's classpath.
Key upgrades include Guava to 28.0, Jackson to 2.10.0, Jedis to 3.0.0, and Eclipse Jetty to 9.4.17.v20190418. The test suite also moved to JUnit 5. In practice, this means you can integrate Shiro 1.9 into projects using newer versions of these libraries without having to force downgrades.
What new session management features were added?
Shiro 1.9 introduces a new HazelcastSessionDAO for distributed session storage using Hazelcast. This provides a robust alternative for clustered environments beyond the existing Redis and Ehcache implementations.
Another significant addition is the NoSessionCreationFilter. This filter prevents Shiro from creating sessions for specific requests, which is perfect for stateless API endpoints. It gives you more granular control over when sessions are initialized, reducing unnecessary overhead.
Which bugs were squashed in this release?
Several important bugs were fixed to improve stability. A RememberMe login issue was resolved where a user would be logged out after a session timeout, even with a valid RememberMe cookie.
The release also fixed a CORS configuration problem and corrected an issue in the Web Servlet module where the GlobalFilterChain wasn't being reset between tests, which could lead to unpredictable behavior during testing.
What was deprecated and why should I care?
The serialize and deserialize methods in AbstractRememberMeManager were marked as deprecated. These methods were prone to causing serialization vulnerabilities if not handled correctly.
This change pushes developers towards using the more secure ObjectSerializer interface instead. If you've written custom RememberMe logic, you should check your implementation and plan to migrate to the newer, safer API.
FAQ
Is the Hazelcast session DAO production-ready?
Yes, the HazelcastSessionDAO is a new, fully supported implementation for distributed session management. It's designed to be as production-ready as the existing Redis and Ehcache DAOs.
How do I use the new NoSessionCreationFilter?
Add the filter to your Shiro filter chain mappings. For example: /api/** = noSessionCreation, authcBasic. This ensures that requests matching that pattern will not create a session.
I use RememberMe functionality. What do I need to change?
Check if you have overridden the deprecated serialize or deserialize methods in AbstractRememberMeManager. If so, you need to migrate your implementation to use an ObjectSerializer.
Will upgrading Guava cause breaking changes in my project?
It might if you have other parts of your application that are tightly coupled to an older Guava API. Shiro itself is compatible with Guava 28.0, but you should test your entire application for compatibility after the upgrade.
Was the CORS configuration bug causing security issues?
No, it was a configuration bug that prevented CORS settings from being applied correctly, potentially breaking legitimate cross-origin requests. It did not introduce a security vulnerability.