Last checked and updated on 09 Jun 2026
What Is New in Apache Shiro 2.0?
Apache Shiro 2.0 is a major release that modernizes the framework, requiring Java 8 or later and introducing significant refinements across its architecture. This update focuses on streamlining the codebase, upgrading core dependencies, and enhancing security.
| Category | Key Changes |
|---|---|
| New Features & Modules | New shiro-crypto-cipher module; shiro-web module split from the core. |
| Improvements | Updated dependencies (Spring 6, Guice 7, JUnit 5); API cleanups and modernizations. |
| Bug Fixes | Multiple fixes for issues reported since the 1.x series. |
| Security | Includes fixes for security vulnerabilities identified in previous versions. |
| Deprecated/Removed | Removal of several secondary modules (e.g., Quartz, Hazelcast, Ehcache, CAS, OAuth, AspectJ, Spring Boot Starter). |
Why Did Shiro Remove So Many Modules?
The removal of modules like shiro-quartz and shiro-cas is a strategic cleanup. These components were often maintained by third parties or saw low adoption, which diverted focus from the core security framework.
In practice, this means a leaner, more maintainable Shiro. If you relied on a removed module, you'll need to handle that integration yourself or find an alternative. This change lets the core team concentrate on what Shiro does best: authentication, authorization, and session management.
How Do the Dependency Upgrades Affect My Project?
Upgrades to Spring Framework 6, Guice 7, and JUnit 5 align Shiro with modern Java ecosystems. If your project already uses these versions, integration becomes smoother. If you're on older versions, you'll face compatibility hurdles.
For instance, the jump to Spring 6 means Shiro drops support for Spring 5. This matters because you must upgrade your Spring stack concurrently with Shiro to avoid runtime conflicts. The move to JUnit 5 also requires updating your test suites.
What Are the Key API Changes for Developers?
Shiro 2.0 cleans up its public API, removing deprecated classes and methods that have been around since the 1.x era. You'll need to update calls to things like the old Subject.Builder pattern.
The new shiro-crypto-cipher module provides a more focused API for encryption operations. When migrating, check your imports and constructor usage; some factory methods have been replaced with more direct instantiation.
Is the Security Model Different in Shiro 2.0?
The core security model for authentication and authorization remains consistent. The improvements are in the underlying implementation, including fixes for specific vulnerabilities that were patched.
This means your realm and permission logic should work as before. The security fixes are transparent but critical--they address potential weaknesses in how Shiro handles certain scenarios, so upgrading closes those gaps.
FAQ
I use Shiro with Spring Boot. What should I do?
The dedicated shiro-spring-boot-starter module has been removed. You now need to configure Shiro within Spring Boot manually. This involves defining your own beans for SecurityManager, Realm, and related components.
Does Shiro 2.0 support Java 17?
Yes. By requiring a minimum of Java 8, Shiro 2.0 is compatible with Java 11, 17, and later LTS versions. The build and dependencies have been tested with newer JDKs.
What happened to the Ehcache session clustering support?
The shiro-ehcache module is removed. For session clustering, you must implement your own solution or use a different caching provider that integrates with Shiro's native session APIs.
Are there any breaking changes in the web filter configuration?
The core web filter behavior is stable, but it's now in the separate shiro-web module. Ensure you include this module in your dependencies. Some filter class names or initialization parameters might have subtle changes--check your web.xml or initializer code.
How do I handle cryptography now with the new cipher module?
The new shiro-crypto-cipher module centralizes encryption/decryption operations. Use CipherService from this module instead of the older, more scattered crypto utilities in the core. This provides a cleaner, more injectable service.