Last checked and updated on 10 Jun 2026
What Is New in Apache Shiro 2.1
Apache Shiro 2.1 brings key updates focused on modernizing its core and improving the developer experience. This release tightens security defaults, cleans up the API, and squashes several bugs from previous versions.
| Category | Key Changes |
|---|---|
| Security & Defaults | Stronger default hash iterations for password security. Removal of vulnerable dependency versions. |
| API Improvements | New RolesPermissionResolver interface. Deprecation of legacy AbstractRememberMeManager methods. |
| Bug Fixes | Fixes for remember me, web session creation, and PathMatchingFilterChainResolver logic. |
| Dependency Updates | Bumped supported versions for Spring, Jakarta Servlet API, and other key dependencies. |
| Deprecations | Legacy cipher-related methods and the org.apache.shiro.crypto.hash.format package. |
How are the default security settings stronger now?
The framework now uses 2,100,000 hash iterations for password-based encryption by default, up from 1. This massively increases the computational cost for attackers trying to crack hashed passwords.
In practice, this change only affects new configurations that don't explicitly set the iteration count. Existing apps with a custom configuration remain unchanged. This matters because it raises the security baseline for new projects without breaking old ones.
Dependency Security
Vulnerable versions of the commons-beanutils dependency have been removed. Your build tool should now pull in a patched version, closing a potential attack vector.
What new tools do I have for permission resolution?
A new RolesPermissionResolver interface has been introduced. It allows you to dynamically resolve permissions based on a user's roles, providing more flexibility than static role-to-permission mappings.
This is a cleaner extension point for custom authorization logic. You can implement it to bridge Shiro's role checks with complex external permission systems.
Which bugs were fixed that might affect my application?
Several persistent issues from the 2.0.x line have been resolved. The most notable fixes address problems with "remember me" functionality and web session handling.
- Remember Me: Fixed an issue where the remember me service could incorrectly create a new session upon login.
- Session Creation: Corrected a bug that caused unnecessary session creation for resource requests when sessions were disabled.
- Path Matching: The
PathMatchingFilterChainResolvernow correctly handles chain definitions where a path pattern is a subset of another.
If you've worked around these issues, you can remove your custom code after upgrading.
What's been deprecated and what dependencies changed?
This release marks several legacy features for removal in future versions. The deprecated org.apache.shiro.crypto.hash.format package and cipher-related methods should be migrated from.
Key dependency versions have been updated to keep Shiro compatible with modern libraries:
- Spring Framework support bumped to 5.3.x and 6.x.
- Jakarta Servlet API updated to 6.0.
- Updates to
guice,commons-beanutils, andjaxb-api.
FAQ
Is the hash iteration change going to slow down my app's login?
No, it only applies to new password hashes created by Shiro's default crypto services. Existing hashes in your database use their original iteration count. The performance impact is only on creating new user credentials or updating passwords.
I use the deprecated HashFormat classes. What should I do?
You need to migrate your code to use the CryptFormat interface and its implementations (HexFormat, Base64Format) instead. The old package will be removed in Shiro 3.0.
Does the fix for unnecessary session creation break anything?
It fixes incorrect behavior. If your application logic accidentally relied on a session being created for static resources when sessions were off, you'll need to adjust. Most apps will just benefit from cleaner operation.
Why was the AbstractRememberMeManager.clearIdentity method deprecated?
It was an ambiguous method that didn't properly distinguish between clearing a remembered identity from a client and clearing it from the server-side store. Use the more specific forgetIdentity or onLogout methods instead.
I'm on Spring 5.2. Can I upgrade to Shiro 2.1?
Yes. While Shiro 2.1 lists support for Spring 5.3.x and 6.x, it typically remains compatible with Spring 5.2. Test your integration as always, but no breaking changes for Spring users are highlighted in this release.