The Shiro team is pleased to announce the release of Apache Shiro version 1 .10.0.
This security release contains 7 fixes since the 1.9.1 release and is available for Download now [1]. CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. Credit: Apache Shiro would like to thank Y4tacker for reporting this issue. Bug * [SHIRO-512] - Race condition in Shiro's web container session timeout handling * [SHIRO-887] - FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s) Improvement * [SHIRO-891] - fix source jar Reproducible Builds issue * [SHIRO-884] - fix source jar Reproducible Builds issue * [SHIRO-885] - Use OWASP Java Encoder with OSGi manifest * [SHIRO-890] - Avoid another proxy creator when @EnableAspectJAutoProxy enabled * [SHIRO-891] - Allow for direct configuration of ShiroFilter through WebEnvironment Behavior Changes As of 1.10.0, Shiro may filter a request multiple times, e.g. when including or forwarding requests. This behavior can be reverted by setting the following property: `shiro.filterOncePerRequest=true` Release binaries (.jars) are also available through Maven Central and source bundles through Apache distribution mirrors. For more information on Shiro, please read the documentation [2]. -The Apache Shiro Team [1] http://shiro.apache.org/download.html [2] http://shiro.apache.org/documentation.html
