Proposal: EOL for Shiro major versions

[lenny]

Here is my proposal:

Shiro 1.x EOL at the end of 2024
Shiro 2.x EOL at the end of 2025

Shiro 3.x focus is:
- Jakarta EE (non-shaded) - remove support for Java EE (remove dependency on 
javax.* namespace)
- Remove “rawtypes” replace with Generics in the API
- Prune abandoned / deprecated support modules:
  - Guice 3?
  - Hazelcast / EHcache / etc - replace with JCache
  - Quartz
  - Anything else?

Feedback is appreciated!

Re: 2024 June Board Report Draft

[lenny]

LGTM. Thanks Brian!

> On Jun 13, 2024, at 10:26 AM, Francois Papon  
> wrote:
> 
> LGTM
> 
> Thanks Brian!
> 
> On 13/06/2024 16:49, Brian Demers wrote:
>> The 2024 June ASF board report was due yesterday.  I've created an initial
>> draft here:
>> 
>> https://svn.apache.org/repos/asf/shiro/board/2024-06.txt
>> 
>> Comments, suggestions, additions, and feedback are welcome.  Otherwise, it
>> will be submitted tonight.
>> 
>> Sorry for being late,
>> -Brian
>> 
> 

[ANNOUNCE] Apache Shiro 2.0.1 Released!

[lenny]

The Apache Shiro team is pleased to announce the release of Apache Shiro 
version 2.0.1

Apache Shiro is a powerful and easy-to-use Java security framework that 
performs authentication, authorization, cryptography, and session 
management. With Shiro’s easy-to-understand API, you can quickly and 
easily secure any application – from the smallest mobile applications to 
the largest web and enterprise applications.

# This is a update release for 2.x. All changes and release notes:
https://github.com/apache/shiro/releases/tag/shiro-root-2.0.1

# Download and verification instructions are available on our download page:

https://shiro.apache.org/download.html 

# For more information on Shiro, please read the documentation:

https://shiro.apache.org/documentation.html 



Enjoy!

The Apache Shiro Team

[RESULT][VOTE] Apache Shiro 2.0.1 release

[lenny]

Hi, This vote passed with the following result: 
+1 (binding): Lenny Primak, Jean-Baptiste Onofre, François Papon
+1 (non-binding): Steinar Bang
-1 (non-binding): Jakub Herkel

I'm promoting the artifacts on Central and dist.apache.org 
<http://dist.apache.org/>
I will then announce the release.
Thanks all for your vote! 

Re: [VOTE] Release Apache Shiro 2.0.1

[lenny]

I guess the release notes aren’t showing up:
Here they are:
Apache Shiro 2.0.1 Draft
 

 lprimak  drafted this 7 hours ago
· 3 commits  
to
 main since this release
 shiro-root-2.0.1 
 b4d2047 

What's new Highlights

Added a supported way to decorate Shiro SecurityManager
Better compatibility with OSGi for Jakarta EE jakarta namespace
Fixed exception handling bugs in Jax-Rs integration module
Fixed a bug in Jakarta Faces integration
Better compatibility when building with Maven 4.x
Bug fixes

[#1324 ] enh: added 
ManifestResourceTransformer to shade plugin by @lprimak 
 in #1328 

[#1352 ] bugfix: made 
commons-configuration2 optional in shiro core by @lprimak 
 in #1353 

[SHIRO-491 ] fix rendering of 
principal tag in panelGroup by @lprimak  in #1371 

[#1383 ] bugfix: fix exception 
mapper type from registered features by @lprimak  
in #1384 
[SHIRO-875 ] Fix creating 
subjects with disabled session-creation by @boris-petrov 
 in #1407 

[#1383 ] bugfix(jax-rs): 
unauthenticated vs. authorized HTTP response codes we… by @lprimak 
 in #1487 

bugfix(tests): using JUnit's ResourceLock annotation for tests that touch… by 
@lprimak  in #1467 

Enhancements

[SHIRO-776 ] refactor: JUnit5 
Best Practices by @timtebeek  in #1338 

deps: fix warnings found by maven 4-alpha-13 by @lprimak 
 in #1377 

[#1424 ] [Enhancement] Made 
Jakarta EE IniEnvironment more flexible by @lprimak 
 in #1425 

[#1424 ] Add generic way to 
decorate SecurityManager by @lprimak  in #1429 

Documentation enhancements

enh: updated versions and using actual link versions for javadoc 

Dependency updates

build(deps): bump log4j.version from 2.22.1 to 2.23.0 by @dependabot 
 in #1321 

build(deps): bump org.codehaus.mojo:exec-maven-plugin from 3.1.1 to 3.2.0 by 
@dependabot  in #1325 

build(deps): bump io.openliberty.tools:liberty-maven-plugin from 3.10 to 3.10.1 
by @dependabot  in #1330 

build(deps): bump actions/setup-java from 4.0.0 to 4.1.0 by @dependabot 
 in #1331 

build(deps): bump com.puppycrawl.tools:checkstyle from 10.13.0 to 10.14.0 by 
@dependabot  in #1332 

build(deps): bump mockito.version from 5.10.0 to 5.11.0 by @dependabot 
 in #1334 

build(deps): bump groovy.version from 4.0.18 to 4.0.19 by @dependabot 
 in #1335 

build(deps): bump actions/cache from 4.0.0 to 4.0.1 by @dependabot 
 in #1336 

build(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.18.5 to 
0.19.1 by @dependabot  in #1341 

build(deps): bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.19.1 to 
0.20.0 by @dependabot  in #1342 

build(deps): bump log4j.version from 2.23.0 to 2.23.1 by @dependabot 

Re: [VOTE] Release Apache Shiro 2.0.1

[lenny]

Lenny Primak: +1 (binding)

> On May 25, 2024, at 8:02 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 2.0.1
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1061 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1061>
> https://repository.apache.org/content/repositories/orgapacheshiro-1061/org/apache/shiro/shiro-root/2.0.1/shiro-root-2.0.1-source-release.zip
>  
> <https://repository.apache.org/content/repositories/orgapacheshiro-1061/org/apache/shiro/shiro-root/2.0.1/shiro-root-2.0.1-source-release.zip>
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.1 
> <https://dist.apache.org/repos/dist/dev/shiro/2.0.1>
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html 
> <http://maven.apache.org/guides/development/guide-testing-releases.html>
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/untagged-2a2fbc26921a12c6ed43 
> <https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0>
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

[VOTE] Release Apache Shiro 2.0.1

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.1

Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1061 

https://repository.apache.org/content/repositories/orgapacheshiro-1061/org/apache/shiro/shiro-root/2.0.1/shiro-root-2.0.1-source-release.zip
 


Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.1

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html 


Release Notes:
https://github.com/apache/shiro/releases/tag/untagged-2a2fbc26921a12c6ed43 


Vote open for 72 hours. 

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

Ah, that’s a different world here unfortunately… you are on your own there

> On May 23, 2024, at 11:59 AM, Steinar Bang  wrote:
> 
>>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:
> 
>> That’s hardly enough to go on. Sounds like a configuration issue.
> 
> No, that's just me thinking out loud.
> 
>> Do you have a reproducer?
> 
> Not yet, but the first stack trace in the log is failing in INI parsing
> because of "ClassNotFoundException", and I suspect it has to do with
> using the default classloader and me running under OSGi on karaf...?
> 
> And this rings a faint bell (I think I have been here before...), so I
> will trawl old git commits to see what I did for a workaround earlier
> and when I stopped needing the workaround because of changes in shiro
> 1.x (and also if this is linked to an old issue).
> 
> This may be me just hallusinating and misremembering, but it's the track
> of investigation I will follow first.
> 
> (but if you happen to know where and if I could feed INI parsing a
> custom classloader I would be happy to learn about it...?)
> 

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

Hi,
That’s hardly enough to go on. Sounds like a configuration issue.
Do you have a reproducer?

> On May 22, 2024, at 12:33 PM, Steinar Bang  wrote:
> 
>>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:
> 
>> Awesome! Thank you for your contributions and help! We appreciate it.
> 
> My pleasure!
> 
> I'm not all there yet, however...:-)
> 
> All applications built without compilation and test errors, but I'm
> currently getting
> HTTP ERROR 500 org.apache.shiro.UnavailableSecurityManagerException: No 
> SecurityManager accessible to the calling code, either bound to the 
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an 
> invalid application configuration.
> 
> Maybe it's time to read the upgrade/release notes...? :-)
> 
> (so far, all I've done, is to bump version numbers in the maven pom,
> and move ByteSource.Util to a new package)
> 
> (and I'm using a snapshot built from yesterday evenings main, after the
> shiro-jaxrs fix)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

Awesome! Thank you for your contributions and help! We appreciate it.

> On May 21, 2024, at 4:45 PM, Steinar Bang  wrote:
> 
>>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org
> 
>> There are plenty of tests already. They were all expecting flipped values,
>> as the naming is very confusing. No need for any new tests.
> 
> Ok.
> 
> Anyway! My stuff builds against a snapshot from the current main of
> shiro.
> 
> Thanks!
> 
> (Tomorrow I will know if it actually works with shiro 2.x :-) )
> 

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

There are plenty of tests already. They were all expecting flipped values,
as the naming is very confusing. No need for any new tests.


> On May 21, 2024, at 12:18 PM, Steinar Bang  wrote:
> 
>> Steinar Bang :
> 
>> Would you like a port of my unit tests to the shiro-jaxrs project (a 200
>> OK test (logged in user with role admin), a 401 Authenticate test (user
>> not logged in) and a 403 Forbidden test (user without role admin logged
>> in))?
> 
> But that offer is only good if I can use this test dependency:
> https://mvnrepository.com/artifact/com.mockrunner/mockrunner-servlet/2.0.7
> (becauses without it it will be too much work)
> 
> mockrunner is under a license based on Apache 1.1
> https://github.com/mockrunner/mockrunner/blob/master/LICENSE.txt
> 

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

Sheesh, I think you are right :)

> On May 20, 2024, at 4:01 PM, Steinar Bang  wrote:
> 
>>>>>> Steinar Bang :
> 
>>>>>> lenny-5o6p1tln9c5dpfhejli6iq-xmd5yjdbdmrexy1tmh2...@public.gmane.org:
>>> Hi,
>>> I believe this will be fixed in 2.0.1
>>> See https://github.com/apache/shiro/issues/1383 
>>> <https://github.com/apache/shiro/issues/1383> for details.
> 
>> Ah, thanks!
> 
>> I will hold off switching from 1.13.0 until 2.0.1 is out.
> 
> Just tried a snapshot built from the current main and the fix still
> don't work for me: the test expecting 403 gets 401 and the test
> expecting 401 gets 403.
> 
> The test expecting 403 uses a logged in user without the the required role:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L127
> 
> The test expecting 401 has no user logged in:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L147
> 
> I put more info in a comment on issue 1383:
> https://github.com/apache/shiro/issues/1383#issuecomment-2121189462
> 

Re: Shiro 2.0.1 release

[lenny]

Can’t we just remove versions from the OSGi manifests somehow?
Or make it “servlet 2.x or greater”? I would think this would be the easiest 
solution :)

Definitely move to jakarta.* in 3.x timeframe, but that’s long ways off :)

> On Apr 30, 2024, at 1:51 AM, Francois Papon  
> wrote:
> 
> I can see only the jakarta dependencies and version stuff for OSGi related to 
> this discussion:
> 
> https://github.com/apache/shiro/issues/1324
> 
> I will try to take a look today but I'm afraid that the best will be to move 
> all to jakarta in the source code and dependencies, or to have a new 
> decidated module.
> 
> We should remove all javax dependencies in the next major version (3.x?).
> 
> Welcome to the javax/jakarta nightmare...
> 
> regards,
> 
> François
> 
> On 30/04/2024 03:37, le...@flowlogix.com wrote:
>> What do we do about outstanding issues though?
>> Some more serious (OSGi?)
>> 
>>> On Apr 29, 2024, at 9:23 AM, Jean-Baptiste Onofré  wrote:
>>> 
>>> It sounds good to me.
>>> 
>>> Regards
>>> JB
>>> 
>>> On Sun, Apr 28, 2024 at 8:39 PM  wrote:
 Hi,
 
 Looks like we are starting go get multiple issues submitted that are 
 already slated to be fixed in 2.0.1
 I am thinking to release 2.0.1 sooner rather than later.
 
 However, there are a few outstanding issues: 
 https://github.com/apache/shiro/milestone/7 
 
 
 Can you guys look at those 3 issues and advise?
 Especially https://github.com/apache/shiro/issues/1025 
  ?
 I think we can safely move https://github.com/apache/shiro/issues/953 
  to 2.0.2 or alter.
> 

Re: Shiro 2.0.1 release

[lenny]

What do we do about outstanding issues though?
Some more serious (OSGi?)

> On Apr 29, 2024, at 9:23 AM, Jean-Baptiste Onofré  wrote:
> 
> It sounds good to me.
> 
> Regards
> JB
> 
> On Sun, Apr 28, 2024 at 8:39 PM  wrote:
>> 
>> Hi,
>> 
>> Looks like we are starting go get multiple issues submitted that are already 
>> slated to be fixed in 2.0.1
>> I am thinking to release 2.0.1 sooner rather than later.
>> 
>> However, there are a few outstanding issues: 
>> https://github.com/apache/shiro/milestone/7 
>> 
>> 
>> Can you guys look at those 3 issues and advise?
>> Especially https://github.com/apache/shiro/issues/1025 
>>  ?
>> I think we can safely move https://github.com/apache/shiro/issues/953 
>>  to 2.0.2 or alter.
> 

Shiro 2.0.1 release

[lenny]

Hi,

Looks like we are starting go get multiple issues submitted that are already 
slated to be fixed in 2.0.1
I am thinking to release 2.0.1 sooner rather than later.

However, there are a few outstanding issues: 
https://github.com/apache/shiro/milestone/7 


Can you guys look at those 3 issues and advise?
Especially https://github.com/apache/shiro/issues/1025 
 ?
I think we can safely move https://github.com/apache/shiro/issues/953 
 to 2.0.2 or alter.

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

[lenny]

Hi,

I believe this will be fixed in 2.0.1
See https://github.com/apache/shiro/issues/1383 
 for details.

> On Apr 28, 2024, at 10:03 AM, Steinar Bang  wrote:
> 
> I'm trying to switch from shiro 1.13.0 to shiro 2.0.0 and I'm running
> into test failures in my tests of jersey JAX-RS resources.
> 
> I am getting 401 Unauthorized responses where I'm expecting 403
> Forbidden (accessing rest endpoint with a logged in user without the
> required role) and I'm getting UnauthenticatedException where I'm
> expecting a 401 Unauthorized response.
> 
> Here is an example test expecting 403 but getting 401:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L127
> 
> Here is an example test expecting 401 but getting UnauthenticatedException:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L147
> 
> Here is the shiro-jaxrs annotated jersey resource:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/test/resources/ProtectedHelloResource.java#L13
> 
> Is there a way for me to get the old behaviour?
> 
> I.e. get the same behaviour I had with shiro-jaxrs for shiro 1.13.0?
> 
> Thanks!
> 
> 
> - Steinar
> 

Re: get the authenticated user in spring controller method

[lenny]

He Principal type depends on the Realm that you are using.
The Principal type of Map is for example purposes only.
In your code, you would substitute the type passed into byType() method with 
the appropriate type.
Or you can use Subject.getPrincipal() that returns Object type and cast to 
appropriate type manually.

> On Apr 13, 2024, at 12:50 PM, Helge Wiemann  wrote:
> 
> Hi,
> 
> thanks for the sample code.
> 
> But I questions because I got some problems to understand the code:
> 
> 
> Collection principalMaps = subject.getPrincipals().byType(Map.class);
> if (CollectionUtils.isEmpty(principalMaps)) {
> name = subject.getPrincipal().toString();
> } else {
> name = (String) 
> principalMaps.iterator().next().get("username");
> }
> 
> 
> When the map of the principals is empty, why and how do I get then the logged 
> user by getPrincipal? I would expect that a call of getPrincipal() is null 
> because the map is empty.
> 
> When the map is not empty, I got the first entry of the map as principal. But 
> for instance three users are logged in, how do I got the correct one out of 
> the map?
> 
> 
> Am 13.04.2024 um 17:53 schrieb le...@flowlogix.com:
>> Hi,
>> 
>> Take a look at Shiro’s SpringBoot 3 example.
>> This should get your started: 
>> https://github.com/apache/shiro/blob/main/samples/spring-boot-3-web/src/main/java/org/apache/shiro/samples/HelloController.java
>>  
>> 
>> 
>> Let us know if you have any further questions.
>> 
>>> On Apr 13, 2024, at 10:29 AM, Helge Wiemann  wrote:
>>> 
>>> Hi all,
>>> 
>>> I am quite new to Shiro and currently moving from Spring Security to Shiro.
>>> 
>>> 
>>> One question: After a user is successfully authenticated and authorized, 
>>> what is the best way to get the user in a Spring controller method?
>>> 
>>> With used Spring Security it was something like that:
>>> 
>>> publicModelAndView 
>>> index(*@AuthenticationPrincipalUsernamePasswordAuthenticationTokenauthenticatedUser*,
>>> 
>>> HttpServletRequest request, HttpServletResponse response) throwsIOException 
>>> {
>>> 
>>> 
>>> Best regards,
>>> 
>>> 
>>> Helge
>>> 
>> 
> 

Re: get the authenticated user in spring controller method

[lenny]

Hi,

Take a look at Shiro’s SpringBoot 3 example.
This should get your started: 
https://github.com/apache/shiro/blob/main/samples/spring-boot-3-web/src/main/java/org/apache/shiro/samples/HelloController.java
 


Let us know if you have any further questions.

> On Apr 13, 2024, at 10:29 AM, Helge Wiemann  wrote:
> 
> Hi all,
> 
> I am quite new to Shiro and currently moving from Spring Security to Shiro.
> 
> 
> One question: After a user is successfully authenticated and authorized, what 
> is the best way to get the user in a Spring controller method?
> 
> With used Spring Security it was something like that:
> 
> publicModelAndView 
> index(*@AuthenticationPrincipalUsernamePasswordAuthenticationTokenauthenticatedUser*,
> 
> HttpServletRequest request, HttpServletResponse response) throwsIOException {
> 
> 
> Best regards,
> 
> 
> Helge
> 

Re: [Discussion] Future version support of Java and Jakarta EE in Shiro

[lenny]

I see… Spring Framework isn’t EOL until sometime this year though (soon),
do you plan to use commercial support to extend its life?
Or just plan to see how long you can “take” the staleness before upgrading to 
Jakarta namespace?

Thanks for the great feedback, it’s very valuable.

> On Apr 4, 2024, at 4:50 PM, Steve Lopez via user  
> wrote:
> 
> Spring MVC 5.3 
> Combination of legacy JSP, JSTL, Thymeleaf and JSF/Tiles  (that probably begs 
> questions;  multiple apps developed over several decades and limited 
> resources to address tech debt)
> A number of 3rd party library dependencies;  some having migrated to 
> Jakarta-EE and some not (yet)
> I've considered migrating to Spring Boot but don't see the cost/benefit given 
> we don't use embedded Tomcat
> 
> On Thu, Apr 4, 2024 at 5:26 PM Lenny Primak  <mailto:le...@flowlogix.com>> wrote:
> Thanks for your feedback. 
> What’s the rest of your stack look like?
> If you are using Spring how is the lack of support for Spring 2 handled?
> Or do you use something else?. JSF? Vaadin?
> 
>> On Apr 4, 2024, at 3:57 PM, Steve Lopez via user > <mailto:u...@shiro.apache.org>> wrote:
>> 
>> 
>> I would be curious how many shiro projects are still on Tomcat 9 given the 
>> heavy lift to migrate to Jakarta-EE. 
>> 
>> We're on Java 17, Tomcat 9 & Shiro 1.13.   While we plan to migrate to 
>> Jakarta-EE (and Tomcat 10) it'll likely be at least a year before it can fit 
>> in the roadmap.   So we would need to stay on Shiro 2 (javax) if Shiro 3 
>> were to come out before that timeframe and it didn't support shading. 
>> 
>> On Thu, Apr 4, 2024 at 4:42 PM > <mailto:le...@flowlogix.com>> wrote:
>> Looks like just one comment so far
>> 
>> > On Apr 4, 2024, at 9:48 AM, Jean-Baptiste Onofré > > <mailto:j...@nanthrax.net>> wrote:
>> > 
>> > Hi Lenny,
>> > 
>> > Did you receive comments on this thread ?
>> > 
>> > Regards
>> > JB
>> > 
>> > On Fri, Mar 15, 2024 at 5:10 AM > > <mailto:le...@flowlogix.com>> wrote:
>> >> 
>> >> Hi,
>> >> 
>> >> Since Shiro 2.0-alpha and 2.0 Final has been released, most, if not all 
>> >> questions we have been getting are about Jakarta EE integration.
>> >> Mostly regarding shaded artifacts and their usage, i.e. jakarta.* 
>> >> namespace.
>> >> These and other discussion warrant a few question worth discussing.
>> >> Please keep in mind by the time Shiro 3.x is released, it could be 2025 
>> >> or later.
>> >> 
>> >> 1) How long should Shiro 1.x be maintained?
>> >> Not at all? 6 months? 1 year? 2 years? Other?
>> >> 
>> >> 2) Should Shiro 3 support javax.* namespace via shading at all?
>> >> Not at all (drop support?) As shaded artifact? As different version 
>> >> (shiro-core:3.0-javax)?
>> >> 
>> >> 3) Should Shiro 3 support SpringBoot 2.x or drop support for SB 2.x at 
>> >> all (requires dropping support for javax namespace)
>> >> 
>> >> 4) What’s the minimum Java version?
>> >> Keep it at 11? Switch to 17 (both SpringBoot 3.x and Jakarta EE 11 
>> >> require 17+)? Switch to 17? Switch to 21 as minimum version?
>> >> 
>> >> Any other issues?
>> >> 
>> > 
>> 

Re: [Discussion] Future version support of Java and Jakarta EE in Shiro

[lenny]

Looks like just one comment so far

> On Apr 4, 2024, at 9:48 AM, Jean-Baptiste Onofré  wrote:
> 
> Hi Lenny,
> 
> Did you receive comments on this thread ?
> 
> Regards
> JB
> 
> On Fri, Mar 15, 2024 at 5:10 AM  wrote:
>> 
>> Hi,
>> 
>> Since Shiro 2.0-alpha and 2.0 Final has been released, most, if not all 
>> questions we have been getting are about Jakarta EE integration.
>> Mostly regarding shaded artifacts and their usage, i.e. jakarta.* namespace.
>> These and other discussion warrant a few question worth discussing.
>> Please keep in mind by the time Shiro 3.x is released, it could be 2025 or 
>> later.
>> 
>> 1) How long should Shiro 1.x be maintained?
>> Not at all? 6 months? 1 year? 2 years? Other?
>> 
>> 2) Should Shiro 3 support javax.* namespace via shading at all?
>> Not at all (drop support?) As shaded artifact? As different version 
>> (shiro-core:3.0-javax)?
>> 
>> 3) Should Shiro 3 support SpringBoot 2.x or drop support for SB 2.x at all 
>> (requires dropping support for javax namespace)
>> 
>> 4) What’s the minimum Java version?
>> Keep it at 11? Switch to 17 (both SpringBoot 3.x and Jakarta EE 11 require 
>> 17+)? Switch to 17? Switch to 21 as minimum version?
>> 
>> Any other issues?
>> 
> 

[Discussion] Future version support of Java and Jakarta EE in Shiro

[lenny]

Hi,

Since Shiro 2.0-alpha and 2.0 Final has been released, most, if not all 
questions we have been getting are about Jakarta EE integration.
Mostly regarding shaded artifacts and their usage, i.e. jakarta.* namespace.
These and other discussion warrant a few question worth discussing.
Please keep in mind by the time Shiro 3.x is released, it could be 2025 or 
later.

1) How long should Shiro 1.x be maintained?
Not at all? 6 months? 1 year? 2 years? Other?

2) Should Shiro 3 support javax.* namespace via shading at all?
Not at all (drop support?) As shaded artifact? As different version 
(shiro-core:3.0-javax)?

3) Should Shiro 3 support SpringBoot 2.x or drop support for SB 2.x at all 
(requires dropping support for javax namespace)

4) What’s the minimum Java version?
Keep it at 11? Switch to 17 (both SpringBoot 3.x and Jakarta EE 11 require 
17+)? Switch to 17? Switch to 21 as minimum version?

Any other issues?

Re: 2024 March Board Report Draft

[lenny]

LGTM.
Thank you!

> On Mar 12, 2024, at 9:30 PM, Brian Demers  wrote:
> 
> The 2024 March ASF board report is due tomorrow.  I've created an initial
> draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2024-03.txt
> 
> Of note, the GitHub reporter statistics were not working, so this section
> is empty.
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will be
> submitted tomorrow.
> 
> Thanks,
> -Brian

Re: [DISCUSS] Jakarta

[lenny]

Although I find the idea of top-level packages intriguing, I still think that 
we should just rip the band-aid off
and go with Jakarta full-bore.
This is due to SpringBoot dropping support for Java EE 8 mostly, but also for 
the goodness of Jakarta EE 11.

> On Mar 11, 2024, at 10:52 AM, Brian Demers  wrote:
> 
> Major / Minor discussions are always fun.
> My personal preference would be to try to label it a 2.1 (but given the
> package name differences javax/jakarta that _might_ not be possible)
> 
> Maybe we could default to the jakarta versions and move the classifier
> version to javax, in a 2.1?
> 
> Or maybe create some _top level_ convenience packages that wrap the
> complexities includes/excludes/bom? e.g. shiro-web-jakarta (or
> shiro-web-javax)
> This removes some of the dependency resolution issues when dealing with
> classifiers. Though, it's not a great long term solution, it may cause
> confusion when we drop that artifact later on. (and it prevents automated
> tools, like dependabot from notifying users of newer versions.)
> 
> Or... rip the band-aid off and just support Jakarta moving forward.
> 
> 
> On Mon, Mar 11, 2024 at 9:17 AM Francois Papon 
> wrote:
> 
>> Hi,
>> 
>> As we released the Shiro 2.0.0 major version, we have more and more
>> users that are trying to migrate and have some jakarta issues.
>> 
>> I think it would be nice if we create a new version 2.1.x or 3.x with no
>> jakarta classifiers and having jakarta import package in the source code.
>> 
>> Thoughts?
>> 
>> regards,
>> 
>> François
>> 
>> 

Re: How is order from the [url] section preserved?

[lenny]

Without looking at the code, I would guess it’s stored in LinkedHashMap, which 
keeps track of the order,
however, there are other map structures that keep order as well.

> On Mar 7, 2024, at 1:31 PM, Steinar Bang  wrote:
> 
> I know from experience that the order of the [url] setion of the
> shiro.ini file is significant: earlier entries will override entries
> further down.
> 
> What I'm unable to see, is how that order is preserved in shiro?
> 
> As far as I can tell the entries of the [url] section are iterated over
> here
> https://github.com/apache/shiro/blob/main/web/src/main/java/org/apache/shiro/web/config/IniFilterChainResolverFactory.java#L159
> 
> And then FilterManager.addFilter() is called in the iteration order.
> 
> And when iterating over a Map.entrySet() the order is undefined. The
> order is left to the internal implementation of the map.
> 
> So how is the order of the [url] section preserved?
> 
> Just curious? (as well as trying to figure out how I can
> programmatically modify the filters of the [url] section at runtime)
> 
> Thanks!
> 
> 
> - Steinar
> 

Re: Possible to programmatically open URLs

[Lenny Primak]

Hi, 
What I think you are asking is hybrid configuration. You would have to override 
WebEnvironment class. I believe this is well documented already 

> On Mar 4, 2024, at 4:05 PM, Steinar Bang  wrote:
> 
> 
>> 
>>>>>> Lenny Primak :
> 
>> Have you actually tried it?  It’s unusual but should work if I understand 
>> your example correctly
> 
> Oh the shiro.ini example as shown will work, no problem.
> 
> But I don't want to set the access of /album/picture1 and
> /album/picture2 in the shiro.ini
> 
> What I want to do is to have a shiro.ini like so:
> 
> [urls]
> / = anon
> /api/** = anon
> /album/** = authc
> 
> And then I would like to *programatically* set anon access on
> /album/picture1 and /album/picture2.
> 

Re: Possible to programmatically open URLs

[Lenny Primak]

Have you actually tried it?  It’s unusual but should work if I understand your 
example correctly 

> On Mar 4, 2024, at 2:08 PM, Steinar Bang  wrote:
> 
> If I have a shiro.ini like so:
> 
> [main]
> authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
> shiro.loginUrl = /login
> shiro.unauthorizedUrl = /unauthorized
> 
> [users]
> 
> [urls]
> / = anon
> /api/** = anon
> /album/** = authc
> 
> Ie. /album/ requires a login.
> 
> Is it then possible to programmatically add anon access to children of 
> /album/?
> 
> I.e. can I programmatically do the equivalent of the following?
> 
> [urls]
> / = anon
> /api/** = anon
> /album/picture1 = anon
> /album/picture2 = anon
> /album/** = authc
> 
> I have tried to google but I haven't found any examples of how to do
> it.  It should be possible since e.g. the shiro-jaxrs code does
> something similar?
> 
> Thanks!
> 
> 
> - Steinar
> 

[RESULT][VOTE] Apache Shiro 2.0.0 release

[lenny]

Hi, This vote passed with the following result: 
+1 (binding): Lenny Primak, Jean-Baptiste Onofre, Benjamin Marwell, François 
Papon
+1 (non-binding): Jakub Herkel

I'm promoting the artifacts on Central and dist.apache.org 
<http://dist.apache.org/>
I will then announce the release.
Thanks all for your vote! 

Re: [VOTE] Release Apache Shiro 2.0.0

[lenny]

Lenny Primak: +1 (binding)

> On Feb 20, 2024, at 3:35 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 2.0.0
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1059 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1059>
> https://repository.apache.org/content/repositories/orgapacheshiro-1059/org/apache/shiro/shiro-root/2.0.0/shiro-root-2.0.0-source-release.zip
>  
> <https://repository.apache.org/content/repositories/orgapacheshiro-1059/org/apache/shiro/shiro-root/2.0.0/shiro-root-2.0.0-source-release.zip>
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html 
> <http://maven.apache.org/guides/development/guide-testing-releases.html>
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/untagged-88099e52127a4abffeb9 
> <https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0>
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

Re: How is the shiro-jaxrs magic supposed to work with JAX-RS in the OSGi web whiteboard?

[lenny]

Ok,

I am glad it worked out.

> On Feb 8, 2024, at 1:50 PM, Steinar Bang  wrote:
> 
>> Steinar Bang :
> 
>> I'm using an OSGi Web Whiteboard component
>> https://github.com/steinarb/oldalbum/blob/e8dbf374c6132694f0ad7c0d4026def355d5514e/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L33
> 
>> that derives from JerseyServlet, which is written by me:
>> https://github.com/steinarb/servlet/blob/9cce8e033e63a23585ddb868e5af5ec2a1ba9be0/servlet/servlet.jersey/src/main/java/no/priv/bang/servlet/jersey/JerseyServlet.java#L48
> 
>> which in turn derives from the Jersey ServletContainer class, and in the
>> init() method adds injected OSGi services to the HK2 dependency
>> injection container, so that they can be injected into JAX-RS resource
>> classes:
>> https://github.com/steinarb/servlet/blob/9cce8e033e63a23585ddb868e5af5ec2a1ba9be0/servlet/servlet.jersey/src/main/java/no/priv/bang/servlet/jersey/JerseyServlet.java#L85
> 
>> I have written this myself and figured I had a pretty good handle on how
>> stuff is handled, but the JAX-RS Application and the
>> Application.getClasses() methods are new to me.
> 
> Ok, I've got it working by adding the following method to 
> OldAlbumWebApiServlet:
>   @Override
>   protected void init(WebConfig webConfig) throws ServletException {
>   super.init(webConfig);
>   var copyOfExistingConfig = new ResourceConfig(getConfiguration());
>   copyOfExistingConfig.register(ShiroFeature.class);
>   reload(copyOfExistingConfig);
>   }
> 
> The org.glassfish.jersey.server.ResourceConfig class extends the
> javax.ws.rs.core.Application class.
> 
> After this I got 401 from the Rest API endpoint after clearing cookies,
> and 200 OK when logged in.
> 
> I'll summarize with a new post on the 2 year old thread "Shiro: possible
> to configure part of the unauthenticated URLs to return 401 instead
> 302?" when I've finished.
> 

Re: 2023 December Board Report Draft

[lenny]

LGTM. Thank you!

> On Dec 12, 2023, at 12:17 PM, Brian Demers  wrote:
> 
> The 2023 December ASF board report is due tomorrow.  I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2023-12.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will
> be submitted tomorrow.
> 
> Thanks,
> -Brian
> 

[ANNOUNCE] Apache Shiro 2.0.0-alpha-4 with fix CVE-2023-46750

[lenny]

The Apache Shiro team is pleased to announce the release of Apache Shiro 
version 2.0.0-alpha-4

Apache Shiro is a powerful and easy-to-use Java security framework that 
performs authentication, authorization, cryptography, and session 
management. With Shiro’s easy-to-understand API, you can quickly and 
easily secure any application – from the smallest mobile applications to 
the largest web and enterprise applications.

# This is a feature release for 2.x. All changes:
https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0-alpha-4

# CVE-2023-46750:

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when 
"form" authentication is used in Apache Shiro.

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

# Download and verification instructions are available on our download page:

https://shiro.apache.org/download.html

# For more information on Shiro, please read the documentation:

https://shiro.apache.org/documentation.html


Enjoy!

The Apache Shiro Team

[RESULT][VOTE] Apache Shiro 2.0.0-alpha-4 release

[lenny]

Hi,
This vote passed with the following result:

+1 (binding): Jean-Baptiste Onofre, Benjamin Marwell, François Papon, Lenny 
Primak

I'm promoting the artifacts on Central and dist.apache.org, I will then 
announce the release. 

 Thanks all for your vote!

Re: [SUCCESS][VOTE] Release Apache Shiro 2.0.0-alpha-4

[lenny]

2.0.0-alpha-4 has been published!

Thank you everyone!

> On Nov 9, 2023, at 4:00 AM, Benjamin Marwell  wrote:
> 
> +1
> 
> 
>
> 
> On Tue, 7 Nov 2023, 23:56 ,  > wrote:
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-4
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1057 
> 
> https://repository.apache.org/content/repositories/orgapacheshiro-1057/org/apache/shiro/shiro-root/2.0.0-alpha-4/shiro-root-2.0.0-alpha-4-source-release.zip
>  
> 
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-4 
> 
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/ 
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html 
> 
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0-alpha-4 
> 
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-4

[lenny]

Lenny Primak: +1

> On Nov 7, 2023, at 4:55 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-4
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1057
> https://repository.apache.org/content/repositories/orgapacheshiro-1057/org/apache/shiro/shiro-root/2.0.0-alpha-4/shiro-root-2.0.0-alpha-4-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-4
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html 
> <http://maven.apache.org/guides/development/guide-testing-releases.html>
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0-alpha-4
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-4

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-4

Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1057
https://repository.apache.org/content/repositories/orgapacheshiro-1057/org/apache/shiro/shiro-root/2.0.0-alpha-4/shiro-root-2.0.0-alpha-4-source-release.zip

Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-4

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html 


Release Notes:
https://github.com/apache/shiro/releases/tag/shiro-root-2.0.0-alpha-4

Vote open for 72 hours. 

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Re: [VOTE] Apache Shiro 1.13.0 release (#2)

[lenny]

Lenny Primak: +1

Thank you!!!

> On Oct 31, 2023, at 4:13 AM, fpapon  wrote:
> 
> Hi everyone,
> 
> I submit Apache Shiro 1.13.0 release to your vote.
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/shiro-root-1.13.0
> 
> Staging Maven repository:
> https://repository.apache.org/content/repositories/orgapacheshiro-1056
> 
> Staging dist repository:
> https://dist.apache.org/repos/dist/dev/shiro/
> 
> Please vote to approve this release:
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
> 
> This vote will be open for at least 72 hours.
> 
> -- 
> --
> François
> 
> 

Re: [VOTE] Apache Shiro 1.13.0 release

[lenny]

Lenny Primak: -1
Patches unfortunately were not cherry-picked (discussed in the security slack)

> On Oct 29, 2023, at 5:47 AM, fpapon  wrote:
> 
> Hi everyone,
> 
> I submit Apache Shiro 1.13.0 release to your vote.
> 
> Release Notes:
> https://github.com/apache/shiro/releases/tag/untagged-f9fada1d9554474d63b5
> 
> Staging Maven repository:
> https://repository.apache.org/content/repositories/orgapacheshiro-1054
> 
> Staging dist repository:
> https://dist.apache.org/repos/dist/dev/shiro/
> 
> Please vote to approve this release:
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
> 
> This vote will be open for at least 72 hours.
> 
> -- 
> --
> François
> 
> 

Re: Jenkins vs GitHub Actions

[lenny]

I (personal opinion) like Jenkins better. I like Groovy DSL better than YAML 
configuration,
I like the fact that you can manage your own instances as agents, I like that 
it’s Java-based, etc. etc.
I would like to keep Jenkins.

> On Oct 29, 2023, at 4:05 AM, fpapon  wrote:
> 
> Hi all,
> 
> As we moved from Jira to Github issue and as we already have Github actions 
> workflow, I would like to start a thread to discuss about the ASF Jenkins.
> 
> From my side, I think that we can deprecated the Jenkins and only use Github 
> actions to validate the PR and the main/branch builds.
> 
> We will have only one place to manage the project and it will be easier for 
> the users to contribute.
> 
> Thoughts?
> 
> regards,
> 
> -- 
> --
> François
> 
> 

Re: 2023 September Board Report Draft

[lenny]

Looks great, thanks!

> On Sep 12, 2023, at 3:53 PM, Brian Demers  wrote:
> 
> The 2023 September ASF board report is due tomorrow.  I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2023-09.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will be
> submitted tomorrow.
> 
> NOTE:  I left a comment in the report about the stats being harder to track
> this quarter.  If anyone has any suggestions on how to better capture
> quarterly GitHub statistics let me know!
> 
> Thanks,
> -Brian

[SUCCESS][VOTE] Release Apache Shiro 2.0.0-alpha-3 (take 2)

[lenny]

Shiro 2.0.0-alpha-3 will be scheduled for release to maven central.
Thank you!

Vote Summary:

François Papon: +1
Jean-Babtiste Onofré: +1
Lenny Primak: +1

> On Jul 27, 2023, at 1:13 AM, Jean-Baptiste Onofré  wrote:
> 
> +1 (binding)
> 
> Regards
> JB
> 
> On Wed, Jul 26, 2023 at 10:13 AM Francois Papon
>  wrote:
>> 
>> +1 (binding)
>> 
>> Thanks Lenny!
>> 
>> regards,
>> 
>> François
>> 
>> On 25/07/2023 23:28, le...@flowlogix.com wrote:
>>> This is a call to vote in favor of releasing Apache Shiro version 
>>> 2.0.0-alpha-3
>>> 
>>> Maven Staging repo:
>>> https://repository.apache.org/content/repositories/orgapacheshiro-1053
>>> https://repository.apache.org/content/repositories/orgapacheshiro-1053/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
>>> 
>>> Dist Staging Repository:
>>> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
>>> 
>>> Project website (just for informational purposes, not to be voted upon):
>>> http://shiro.apache.org/
>>> 
>>> Guide to testing staged releases:
>>> http://maven.apache.org/guides/development/guide-testing-releases.html
>>> 
>>> Vote open for 72 hours.
>>> 
>>> [ ] +1
>>> [ ] +0
>>> [ ] -1 (please include reasoning)
>>> 
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-3 (take 2)

[lenny]

Release Notes:

   Release Notes - Shiro - Version 2.0.0-alpha-3

* New Contributors:
- Edgar Ramirez Fuentes

* New Features:
[#943] replace logback with log4j
[#947] rewrite java tests to Junit-Jupiter
[GH-904] Add Spring 6-related exclusions to Shiro BOM
enh: added JPMS module names to JAR manifests
[GH-891] Added Spring Boot 3 example application

* Security Fixes
Adds improved path filter

* Bug Fixes:
enh(jakarta-ee): added form resubmit retry logic in case internal 
authentication fails
[#942] Fix flaky test; update snakeyaml for test app
OpenLiberty/ci.maven#1700: use fat application for now
bugfix(hazelcast): updated hazelcast OSGi import to version 5
upgrade m-bundle-p: solves last Reproducible Builds issue
bugfix(hasher): fixed logging framework dependencies

* Large number of dependency updates

> On Jul 25, 2023, at 4:28 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-3
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1053
> https://repository.apache.org/content/repositories/orgapacheshiro-1053/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-3 (take 2)

[lenny]

Lenny Primak: +1

> On Jul 25, 2023, at 4:28 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-3
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1053
> https://repository.apache.org/content/repositories/orgapacheshiro-1053/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-3 (take 2)

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-3

Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1053
https://repository.apache.org/content/repositories/orgapacheshiro-1053/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip

Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours. 

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

[FAIL][VOTE] Release Apache Shiro 2.0.0-alpha-3

[lenny]

Since the release, we had a couple of issues:
- Hasher tool is broken
- CVE update was not actually applied (now fixed in main)

I will pull this release and create a new one ASAP

> On Jul 23, 2023, at 3:30 PM, le...@flowlogix.com wrote:
> 
> Release Notes:
> 
>Release Notes - Shiro - Version 2.0.0-alpha-3
> 
> * New Contributors:
> - Edgar Ramirez Fuentes
> 
> * New Features:
> [#943] replace logback with log4j
> [#947] rewrite java tests to Junit-Jupiter
> [GH-904] Add Spring 6-related exclusions to Shiro BOM
> enh: added JPMS module names to JAR manifests
> [GH-891] Added Spring Boot 3 example application
> 
> 
> * Bug Fixes:
> enh(jakarta-ee): added form resubmit retry logic in case internal 
> authentication fails
> [#942] Fix flaky test; update snakeyaml for test app
> OpenLiberty/ci.maven#1700: use fat application for now
> bugfix(hazelcast): updated hazelcast OSGi import to version 5
> upgrade m-bundle-p: solves last Reproducible Builds issue
> 
> * Large number of dependency updates
> 
> 
>> On Jul 21, 2023, at 3:21 PM, le...@flowlogix.com wrote:
>> 
>> Lenny Primak: +1
>> 
>>> On Jul 21, 2023, at 3:20 PM, le...@flowlogix.com wrote:
>>> 
>>> This is a call to vote in favor of releasing Apache Shiro version 
>>> 2.0.0-alpha-3
>>> 
>>> Maven Staging repo:
>>> https://repository.apache.org/content/repositories/orgapacheshiro-1052
>>> https://repository.apache.org/content/repositories/orgapacheshiro-1052/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
>>> 
>>> Dist Staging Repository:
>>> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
>>> 
>>> Project website (just for informational purposes, not to be voted upon):
>>> http://shiro.apache.org/
>>> 
>>> Guide to testing staged releases:
>>> http://maven.apache.org/guides/development/guide-testing-releases.html
>>> 
>>> Vote open for 72 hours. 
>>> 
>>> [ ] +1
>>> [ ] +0
>>> [ ] -1 (please include reasoning)
>>> 
>>> 
>> 
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-3

[lenny]

Release Notes:

Release Notes - Shiro - Version 2.0.0-alpha-3

* New Contributors:
- Edgar Ramirez Fuentes

* New Features:
[#943] replace logback with log4j
[#947] rewrite java tests to Junit-Jupiter
[GH-904] Add Spring 6-related exclusions to Shiro BOM
enh: added JPMS module names to JAR manifests
[GH-891] Added Spring Boot 3 example application


* Bug Fixes:
enh(jakarta-ee): added form resubmit retry logic in case internal 
authentication fails
[#942] Fix flaky test; update snakeyaml for test app
OpenLiberty/ci.maven#1700: use fat application for now
bugfix(hazelcast): updated hazelcast OSGi import to version 5
upgrade m-bundle-p: solves last Reproducible Builds issue


 
* Large number of dependency updates


> On Jul 21, 2023, at 3:21 PM, le...@flowlogix.com wrote:
> 
> Lenny Primak: +1
> 
>> On Jul 21, 2023, at 3:20 PM, le...@flowlogix.com wrote:
>> 
>> This is a call to vote in favor of releasing Apache Shiro version 
>> 2.0.0-alpha-3
>> 
>> Maven Staging repo:
>> https://repository.apache.org/content/repositories/orgapacheshiro-1052
>> https://repository.apache.org/content/repositories/orgapacheshiro-1052/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
>> 
>> Dist Staging Repository:
>> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
>> 
>> Project website (just for informational purposes, not to be voted upon):
>> http://shiro.apache.org/
>> 
>> Guide to testing staged releases:
>> http://maven.apache.org/guides/development/guide-testing-releases.html
>> 
>> Vote open for 72 hours. 
>> 
>> [ ] +1
>> [ ] +0
>> [ ] -1 (please include reasoning)
>> 
>> 
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-3

[lenny]

Lenny Primak: +1

> On Jul 21, 2023, at 3:20 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-3
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1052
> https://repository.apache.org/content/repositories/orgapacheshiro-1052/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-3

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-3

Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1052
https://repository.apache.org/content/repositories/orgapacheshiro-1052/org/apache/shiro/shiro-root/2.0.0-alpha-3/shiro-root-2.0.0-alpha-3-source-release.zip

Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-3

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours. 

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Re: Apache Shiro Vulnerabilities

[lenny]

Hi, Mihir,

I am not quite sure what you are asking. Can you clarify what exact 
vulnerabilities you are referring to?
Perhaps a link or two?

Thank you

> On Jul 18, 2023, at 7:39 AM, Mihir Chhaya  wrote:
> 
> Hello,
> 
> I see the Authentication bypass vulnerability existing in almost every 
> release of the Apache Shiro.
> 
> Is there any solution for this? We are evaluating the options to implement 
> the security and not able to decide if these vulnerabilities will ever get 
> resolved.
> 
> Any suggestions?
> 
> Thank you,
> -Mihir.

Re: 2023 June Board Report Draft

[Lenny Primak]

LGTM 
Thanks Brian

> On Jun 14, 2023, at 2:12 PM, Brian Demers  wrote:
> 
> The 2023 June ASF board report is due today (sorry for the late notice).
> I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2023-06.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will
> be submitted tonight.
> 
> 
> Thanks,
> -Brian

Re: [Discuss] Move Shiro from JIRA to GitHub Issues

[lenny]

Thank you!

> On May 27, 2023, at 2:47 AM, Benjamin Marwell  wrote:
> 
> Since we all agreed here, I will now open the GitHub issues and discussions
> in the next few days. If you're faster than me, feel welcome to do it
> earlier. 
> 
> - Ben
> 
> 
> 
> 
> On Thu, 27 Apr 2023, 14:39 Benjamin Marwell,  wrote:
> 
>> +1 for starting fresh.
>> Since github is easier to get to, we will soon have enough issues to work
>> on. ;-)
>> 
>> 
>> Am Mi., 26. Apr. 2023 um 17:31 Uhr schrieb Colm O hEigeartaigh <
>> cohei...@apache.org>:
>> 
>>> +1, especially since new users having to manually be approved to signup
>>> to JIRA.
>>> 
>>> Colm.
>>> 
>>> On Wed, Apr 26, 2023 at 3:38 PM Brian Demers 
>>> wrote:
 
 That's a great point!
 Nothing is stopping us from cutting over to GH now and then figuring out
 the JIRA migration in the future (or not). 樂
 
 
 On Wed, Apr 26, 2023 at 6:23 AM Francois Papon <
>>> francois.pa...@openobject.fr>
 wrote:
 
> Hi Brian,
> 
> Thanks for sharing that!
> 
> I think we could start by making JIRA read-only start fresh in GH, it
> would be the less effort way for us.
> 
> regards,
> 
> François
> 
>> I don't think we need something as complex as this, but some linked
> threads
>> make good points about only needing to search one location to see
> history.
>> 
>> Infra mentioned some projects just mark JIRA read-only and start
>>> fresh in
>> GH.
>> 
>> I'll try to dig through the Arrow migration scripts a bit more and
>>> get a
>> better feel for the complexity/effort involved here.
>> 
>> 
>> If anyone has other thoughts or opinions on the topic, please let us
> know!
>> -Brian
>> 
>> On Wed, Apr 5, 2023 at 9:24 AM Jean-Baptiste Onofré <
>>> j...@nanthrax.net>
> wrote:
>> 
>>> +1 for me, no objections.
>>> 
>>> Regards
>>> JB
>>> 
>>> On Fri, Mar 31, 2023 at 3:40 PM Brian Demers 
> wrote:
 We received a suggestion from the last board report to consider
> switching
 from JIRA to GitHub issues.
 
 The ASF JIRA instance no longer allows users to self-sign-up
>>> (though it
 DOES allow us to invite others). This is largely due to spam.
 Most developers have a GitHub account (and that is where most
>>> folks
 interact with Shiro's code base), and this would meet folks where
>>> they
>>> are,
 as opposed to making them go somewhere else to dig through issues.
 
 Tentative suggestion:
 * Go through existing Shiro JIRA issues and close any issues that
>>> are
> no
 longer relevant.
 * Migrate open issues to GitHub Issues in apache/shiro (linking
>>> back to
>>> the
 JIRA issue)
 * All new issues will only be created in GitHub Issues
 * When an existing JIRA issue is fixed, it will be updated in both
>>> locations
 Potential process changes:
 * Release notes/change logs are currently generated through JIRA.
> (There
 has been some discussion in the ASF Slack about using JReleaser,
>>> which
>>> can
 generate a change log)
 
 NOTE: This is not final; the above text is just to start the
> discussion.
 Feel free to pick holes in the above, suggest changes, or propose
>>> something
 else!
 
 Thoughts and feedback are welcome!
 
 -Brian
> 
>>> 
>> 

[SUCCESS][VOTE] Release Apache Shiro 2.0.0-alpha-2

[lenny]

Hi, 

The vote has passed with the following result: 

+1: François Papon, Jean-Baptiste Onofré, Lenny Primak

PMC quorum: reached 

I will promote the source release zip file to the Apache distribution area and 
the artifacts to the central repo.
Thank you!


> On May 4, 2023, at 4:12 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-2
>  
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1049 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1049>
> https://repository.apache.org/content/repositories/orgapacheshiro-1049/org/apache/shiro/shiro-root/2.0.0-alpha-2/shiro-root-2.0.0-alpha-2-source-release.zip
>  
> <https://repository.apache.org/content/repositories/orgapacheshiro-1049/org/apache/shiro/shiro-root/2.0.0-alpha-2/shiro-root-2.0.0-alpha-2-source-release.zip>
>  
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-2
>  
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>  
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>  
> Vote open for 72 hours. 
>  
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-2

[lenny]

Lenny Primak: +1

> On May 4, 2023, at 5:12 PM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-2
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1049 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1049>
> https://repository.apache.org/content/repositories/orgapacheshiro-1049/org/apache/shiro/shiro-root/2.0.0-alpha-2/shiro-root-2.0.0-alpha-2-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-2
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-2

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-2
 
Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1049 

https://repository.apache.org/content/repositories/orgapacheshiro-1049/org/apache/shiro/shiro-root/2.0.0-alpha-2/shiro-root-2.0.0-alpha-2-source-release.zip
 
Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-2
 
Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/
 
Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html
 
Vote open for 72 hours. 
 
[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Re: [Discuss] Move Shiro from JIRA to GitHub Issues

[lenny]

BIG +1 for me.
Even easier, just have old issues in JIRA and new ones in GH.
Also maybe GH discussions as well?

> On Mar 31, 2023, at 8:40 AM, Brian Demers  wrote:
> 
> We received a suggestion from the last board report to consider switching
> from JIRA to GitHub issues.
> 
> The ASF JIRA instance no longer allows users to self-sign-up (though it
> DOES allow us to invite others). This is largely due to spam.
> Most developers have a GitHub account (and that is where most folks
> interact with Shiro's code base), and this would meet folks where they are,
> as opposed to making them go somewhere else to dig through issues.
> 
> Tentative suggestion:
> * Go through existing Shiro JIRA issues and close any issues that are no
> longer relevant.
> * Migrate open issues to GitHub Issues in apache/shiro (linking back to the
> JIRA issue)
> * All new issues will only be created in GitHub Issues
> * When an existing JIRA issue is fixed, it will be updated in both locations
> 
> Potential process changes:
> * Release notes/change logs are currently generated through JIRA. (There
> has been some discussion in the ASF Slack about using JReleaser, which can
> generate a change log)
> 
> NOTE: This is not final; the above text is just to start the discussion.
> Feel free to pick holes in the above, suggest changes, or propose something
> else!
> 
> Thoughts and feedback are welcome!
> 
> -Brian

Re: 2023 March Board Report Draft

[Lenny Primak]

We also released 1.11.0 in January
Otherwise LGTM

> On Mar 13, 2023, at 5:12 PM, Brian Demers  wrote:
> 
> The 2023 March ASF board report is due soon.  I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2023-03.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will
> be submitted on the 15th.
> 
> NOTE: I feel like I'm missing something, there are a few comments about
> 2.0, but that's huge!
> Is there something else we should add?
> 
> Thanks,
> -Brian

Re: 2023 March Board Report Draft

[lenny]

We also released 1.11.0 in January
Otherwise LGTM

> On Mar 13, 2023, at 5:12 PM, Brian Demers  wrote:
> 
> The 2023 March ASF board report is due soon.  I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2023-03.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will
> be submitted on the 15th.
> 
> NOTE: I feel like I'm missing something, there are a few comments about
> 2.0, but that's huge!
> Is there something else we should add?
> 
> Thanks,
> -Brian

[SUCCESS][VOTE] Release Apache Shiro 2.0.0-alpha-1 (try #2)

[lenny]

Hi, 

The vote has passed with the following result: 

+1: François Papon, Jean-Baptiste Onofré, Lenny Primak

PMC quorum: reached 

I will promote the source release zip file to the Apache distribution area and 
the artifacts to the central repo.
Thank you!

> On Feb 28, 2023, at 1:13 AM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-1 (try #2)
>  
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1047 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1047>
> https://repository.apache.org/content/repositories/orgapacheshiro-1047/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
>  
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-1
>  
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>  
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>  
> Vote open for 72 hours. 
>  
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

[CANCEL][VOTE] Release Apache Shiro 2.0.0-alpha-1 (original)

[lenny]

Vote for the original alpha has been canceled.
Vote for (try #2) is open.

Sorry for the confusion

Re: [VOTE] Release Apache Shiro 2.0.0-alpha-1 (try #2)

[lenny]

Lenny Primak: +1

> On Feb 28, 2023, at 2:13 AM, le...@flowlogix.com wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-1 (try #2)
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1047
> https://repository.apache.org/content/repositories/orgapacheshiro-1047/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-1
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours. 
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-1 (try #2)

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-1 
(try #2)
 
Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1047
https://repository.apache.org/content/repositories/orgapacheshiro-1047/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
 
Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/2.0.0-alpha-1
 
Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/
 
Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html
 
Vote open for 72 hours. 
 
[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

RE: [VOTE] Release Apache Shiro 2.0.0-alpha-1

[lenny]

[Failed]
OmniFaces released a new version that should be included in the alpha.
I will release a new version shortly.

On 2023/02/26 23:12:28 le...@flowlogix.com wrote:
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-1
>  
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1046 
> 
> https://repository.apache.org/content/repositories/orgapacheshiro-1046/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
>  
> 
>  
> Dist Staging Repository:
> https: 
> //dist.apache.org/repos/dist/dev/shiro/
>  2.0.0-alpha-1
>  
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>  
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>  
> Vote open for 72 hours. 
>  
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> 

RE: [VOTE] Release Apache Shiro 2.0.0-alpha-1

[lenny]

Lenny Primak: +1

On 2023/02/26 23:12:28 le...@flowlogix.com wrote:
> This is a call to vote in favor of releasing Apache Shiro version 
> 2.0.0-alpha-1
>  
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1046 
> <https://repository.apache.org/content/repositories/orgapacheshiro-1046>
> https://repository.apache.org/content/repositories/orgapacheshiro-1046/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
>  
> <https://repository.apache.org/content/repositories/orgapacheshiro-1046/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip>
>  
> Dist Staging Repository:
> https: 
> <https://dist.apache.org/repos/dist/dev/shiro/2.0>//dist.apache.org/repos/dist/dev/shiro/
>  <https://dist.apache.org/repos/dist/dev/shiro/2.0>2.0.0-alpha-1
>  
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
>  
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>  
> Vote open for 72 hours. 
>  
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> 

[VOTE] Release Apache Shiro 2.0.0-alpha-1

[lenny]

This is a call to vote in favor of releasing Apache Shiro version 2.0.0-alpha-1
 
Maven Staging repo:
https://repository.apache.org/content/repositories/orgapacheshiro-1046 

https://repository.apache.org/content/repositories/orgapacheshiro-1046/org/apache/shiro/shiro-root/2.0.0-alpha-1/shiro-root-2.0.0-alpha-1-source-release.zip
 

 
Dist Staging Repository:
https: 
//dist.apache.org/repos/dist/dev/shiro/
 2.0.0-alpha-1
 
Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/
 
Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html
 
Vote open for 72 hours. 
 
[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

Re: [VOTE] Set minimal JDK11 for Shiro 2.x

[lenny]

Lenny Primak: +1

> On Jan 20, 2023, at 4:25 AM, fpapon  wrote:
> 
> Hi,
> 
> After several discussion on the mailing, I would like to start a vote to set 
> the minimal version of the JDK to the version 11 starting to Shiro 2.x.
> 
> Vote open for 72 hours:
> 
> [ ] +1 (set JDK11 min version for Shiro 2.x)
> [ ] +0
> [ ] -1 (please include reasoning)
> 
> regards,
> 
> -- 
> --
> François
> 

Proposal: Update minimum Java version for Shiro 2.x to 11

[lenny]

Hi!

Looks like we’ve had some feedback, and I’d like to proceed with this.
MR-Jars seem controversial and not very well supported in WARs and OSGi.

Lenny Primak: +1

Re: [VOTE] Release Apache Shiro 1.11.0

[Lenny Primak]

Lenny Primak: +1 (binding)

Thank you!

> On Jan 7, 2023, at 8:27 PM, Brian Demers  wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 1.11.0.
> 
> NOTE: This is the second attempt at this release, additional fixes
> for SHIRO-889 have been added since the previous attempt.
> 
> We solved 2 Issues:
> 
> https://issues.apache.org/jira/secure/IssueNavigator!executeAdvanced.jspa?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.11.0%20%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1045
> https://repository.apache.org/content/repositories/orgapacheshiro-1045/org/apache/shiro/shiro-root/1.11.0/shiro-root-1.11.0-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/1.11.0/
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours.
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)

Re: [VOTE] Release Apache Shiro 1.11.0

[lenny]

I have finished and merged the PRs that were discovered as a showstopper.
I am ready for another crack at 1.11 now.

Sorry about the false start

> On Jan 7, 2023, at 12:51 PM, le...@flowlogix.com wrote:
> 
> Ugh. Unfortunately, I am going to have to change my vote to -1.
> 
> This due to my own oversight and somehow letting this happen:
> https://github.com/apache/shiro/pull/558#issuecomment-1374416989 
> <https://github.com/apache/shiro/pull/558#issuecomment-1374416989>
> 
> Lenny Primak: -1 (binding)
> 
> On 2023/01/04 00:56:41 Lenny Primak wrote:
> > Lenny Primak: +1
> > 
> > Thank you!!!
> > 
> > > On Jan 3, 2023, at 7:54 PM, Brian Demers  > > <http://apache.org/>> wrote:
> > > 
> > > This is a call to vote in favor of releasing Apache Shiro version 1.11.0.
> > > 
> > > We solved 2 Issues:
> > > 
> > > https://issues.apache.org/jira/secure/IssueNavigator!executeAdvanced.jspa?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.11.0%20%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC
> > >  
> > > <https://issues.apache.org/jira/secure/IssueNavigator!executeAdvanced.jspa?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.11.0%20%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC>
> > > 
> > > 
> > > Maven Staging repo:
> > > https://repository.apache.org/content/repositories/orgapacheshiro-1044 
> > > <https://repository.apache.org/content/repositories/orgapacheshiro-1044>
> > > https://repository.apache.org/content/repositories/orgapacheshiro-1044/org/apache/shiro/shiro-root/1.11.0/shiro-root-1.11.0-source-release.zip
> > >  
> > > <https://repository.apache.org/content/repositories/orgapacheshiro-1044/org/apache/shiro/shiro-root/1.11.0/shiro-root-1.11.0-source-release.zip>
> > > 
> > > Dist Staging Repository:
> > > https://dist.apache.org/repos/dist/dev/shiro/1.11.0/ 
> > > <https://dist.apache.org/repos/dist/dev/shiro/1.11.0/>
> > > 
> > > Project website (just for informational purposes, not to be voted upon):
> > > http://shiro.apache.org/ <http://shiro.apache.org/>
> > > 
> > > Guide to testing staged releases:
> > > http://maven.apache.org/guides/development/guide-testing-releases.html 
> > > <http://maven.apache.org/guides/development/guide-testing-releases.html>
> > > 
> > > Vote open for 72 hours.
> > > 
> > > [ ] +1
> > > [ ] +0
> > > [ ] -1 (please include reasoning)
> > 
> > 

RE: Re: [VOTE] Release Apache Shiro 1.11.0

[lenny]

Ugh. Unfortunately, I am going to have to change my vote to -1.

This due to my own oversight and somehow letting this happen:
https://github.com/apache/shiro/pull/558#issuecomment-1374416989 
<https://github.com/apache/shiro/pull/558#issuecomment-1374416989>

Lenny Primak: -1 (binding)

On 2023/01/04 00:56:41 Lenny Primak wrote:
> Lenny Primak: +1
> 
> Thank you!!!
> 
> > On Jan 3, 2023, at 7:54 PM, Brian Demers  wrote:
> > 
> > This is a call to vote in favor of releasing Apache Shiro version 1.11.0.
> > 
> > We solved 2 Issues:
> > 
> > https://issues.apache.org/jira/secure/IssueNavigator!executeAdvanced.jspa?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.11.0%20%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC
> > 
> > 
> > Maven Staging repo:
> > https://repository.apache.org/content/repositories/orgapacheshiro-1044
> > https://repository.apache.org/content/repositories/orgapacheshiro-1044/org/apache/shiro/shiro-root/1.11.0/shiro-root-1.11.0-source-release.zip
> > 
> > Dist Staging Repository:
> > https://dist.apache.org/repos/dist/dev/shiro/1.11.0/
> > 
> > Project website (just for informational purposes, not to be voted upon):
> > http://shiro.apache.org/
> > 
> > Guide to testing staged releases:
> > http://maven.apache.org/guides/development/guide-testing-releases.html
> > 
> > Vote open for 72 hours.
> > 
> > [ ] +1
> > [ ] +0
> > [ ] -1 (please include reasoning)
> 
> 

Re: [VOTE] Release Apache Shiro 1.11.0

[Lenny Primak]

Lenny Primak: +1

Thank you!!!

> On Jan 3, 2023, at 7:54 PM, Brian Demers  wrote:
> 
> This is a call to vote in favor of releasing Apache Shiro version 1.11.0.
> 
> We solved 2 Issues:
> 
> https://issues.apache.org/jira/secure/IssueNavigator!executeAdvanced.jspa?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.11.0%20%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC
> 
> 
> Maven Staging repo:
> https://repository.apache.org/content/repositories/orgapacheshiro-1044
> https://repository.apache.org/content/repositories/orgapacheshiro-1044/org/apache/shiro/shiro-root/1.11.0/shiro-root-1.11.0-source-release.zip
> 
> Dist Staging Repository:
> https://dist.apache.org/repos/dist/dev/shiro/1.11.0/
> 
> Project website (just for informational purposes, not to be voted upon):
> http://shiro.apache.org/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours.
> 
> [ ] +1
> [ ] +0
> [ ] -1 (please include reasoning)

Re: 2022 December Board Report Draft

[Lenny Primak]

Thanks Brian!
Looks good to me as well

> On Dec 16, 2022, at 9:38 AM, Brian Demers  wrote:
> 
> The 2022 December ASF board report is due today.  I've created an
> initial draft here:
> 
> https://svn.apache.org/repos/asf/shiro/board/2022-12.txt
> 
> Comments, suggestions, and feedback are welcome.  Otherwise, it will
> be submitted later today.
> 
> Thanks,
> -Brian

Proposal: Release Shiro 2.0-alpha-1 to maven central

[lenny]

This will enable people to at least try to use modern Jakarta and JPMS without 
enabling snapshots and adding Apache snapshot repo

Re: [SHIRO-206] JSF support

[Lenny Primak]

+1 for removing from 2.0 milestone

The library is pretty useful and I may want to re-add it in the future once I 
get some time to work on Jakarta EE / CDI stuff in general.


> On Aug 1, 2021, at 3:00 PM, Benjamin Marwell  wrote:
> 
> Hi everyone,
> 
> we had a discussion in slack, that later versions of shiro might want
> to concentrate on CDI-ish/jndi based usages. Not that this would be a
> target for 2.0, but SHIRO-206 [1] wants to add JSF support.
> 
> Unless someone wants to maintain it actively in the project, I would
> vote to remove this feature from the 2.0 milestone.
> 
> WDYT?
> 
> - Ben
> 
> [1] - https://issues.apache.org/jira/browse/SHIRO-206

[jira] [Commented] (SHIRO-816) Update shiro-hazelcast to support Hazelcast 4.2

[Lenny Primak (Jira)]

[ 
https://issues.apache.org/jira/browse/SHIRO-816?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17391051#comment-17391051
 ] 

Lenny Primak commented on SHIRO-816:


Hazelcast 5 is coming in August BTW...

> Update shiro-hazelcast to support Hazelcast 4.2
> ---
>
> Key: SHIRO-816
> URL: https://issues.apache.org/jira/browse/SHIRO-816
> Project: Shiro
>  Issue Type: Improvement
>Reporter: Steve Lopez
>Assignee: Benjamin Marwell
>Priority: Major
>  Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> The latest version of shiro-hazelcast works only on the 3.x versions of 
> Hazelcast.jar   The latest version of Hazelcast is now 4.2 
> ([https://mvnrepository.com/artifact/com.hazelcast/hazelcast/4.2)] 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: [ANNOUNCE] Community Update: Working on 1.3 Release + Dedicated Shiro Staff

[Lenny Primak]

That's fantastic news congratulations Brian and Shiro team!!

> On Jun 27, 2016, at 7:03 PM, Les Hazlewood  wrote:
> 
> Hi Apache Shiro Community!
> 
> I know it has been a while since we last had a public community announcement, 
> and things have been very quiet due to Shiro's mostly-stable status (with 
> some minor exceptions the last few months).  That said, you may have noticed 
> a whole bunch of Shiro activity recently - Shiro JIRA emails, confluence 
> activity, etc., and this is due to some new very exciting news.
> 
> I'm proud to announce that Brian Demers, a long-time existing Shiro team 
> member and committer, has decided to join us here at Stormpath in a full time 
> position.  With this role, Stormpath will be investing in the Shiro project 
> and its community with a full time resource!
> 
> Until now, Shiro has been fostered and supported with much love by the Apache 
> Shiro dev team over the years, but only as part-time engineers.  We have 
> always had full-time day jobs and couldn't dedicate 100% of our time to it.  
> But at least now in Brian's case, he gets to spend all of his work time on it 
> too (and I'm jealous! :) ).
> 
> What is Brian going to be doing?
> ---
> 
> One of Brian's first projects as a Stormpath employee will be to help clean 
> up the existing Shiro JIRA backlog, specifically issues with patches that 
> have been sitting for a while, and get a 1.3 release out. If there is a 
> particular issue or patch you have been working around for a while please let 
> the dev team know.
> 
> Beyond that, Brian will be working towards the Shiro 2.0 release, as well as 
> supporting the community with educational content and upgrading the Shiro 
> website.
> 
> What does this mean for the Apache Shiro project?
> 
> 
> For all intents and purposes, it means more help, better support and getting 
> Apache 2.0 out the door faster.  Like all Apache projects, Shiro will 
> *always* be run "The Apache Way" - it is a meritocracy and each Apache Shiro 
> committee member will continue to manage Apache Shiro the same way we have 
> since project inception.  Stormpath just sees Shiro as a complementary 
> technology that helps Stormpath customers, so it was a natural fit for us to 
> hire someone to help with Shiro full-time.  It is no different than, say, the 
> many IBM employees that are full-time employees dedicated to other Apache 
> projects (e.g. like Tomcat).
> 
> Additionally, Stormpath has no plans to make a 'commercial' version of Shiro 
> - so don't worry about that.  All Shiro work will be 100% open and 
> contributed back to the community under the Apache 2.0 license (again, as 
> we've always done).
> 
> So, in summary, there is *no* change to Shiro, its team, its management, or 
> its community other than getting dedicated, full-time help! :)
> 
> Please join me in welcoming Brian to Stormpath and thank him for stepping up 
> to the challenge!
> 
> Thanks,
> 
> 
> --
> Les

[jira] [Created] (SHIRO-512) Race condition in Shiro's web container session timeout handling

[Lenny Primak (JIRA)]

Lenny Primak created SHIRO-512:
--

 Summary: Race condition in Shiro's web container session timeout 
handling
 Key: SHIRO-512
 URL: https://issues.apache.org/jira/browse/SHIRO-512
 Project: Shiro
  Issue Type: Bug
  Components: Authentication (log-in)
Affects Versions: 1.2.2, 1.2.3
Reporter: Lenny Primak
Priority: Minor


I cannot find anywhere that Shiro uses HttpSessionListener to trap 
sessionDestroyed event from the container. 
I believe this is leading to a rare race condition in my application, as Shiro 
thinks the session is still active, 
but in reality, the web session has been destroyed. 

Code:  SecurityUtils.getSubject().getPrincipal(); 

Relevant bit of stack trace: 

Caused by: org.apache.shiro.session.InvalidSessionException: 
java.lang.IllegalStateException: PWC2778: getAttribute: Session already 
invalidated 
at 
org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
 
at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) 
at 
org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
 
at 
org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
 
at 
org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)
 


Link to the mailing list thread: 
http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html



--
This message was sent by Atlassian JIRA
(v6.2#6252)