You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by fp...@apache.org on 2020/10/30 08:42:18 UTC
[shiro-site] branch master updated: Release Shiro 1.7.0
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro-site.git
The following commit(s) were added to refs/heads/master by this push:
new ed29cf5 Release Shiro 1.7.0
new 28164c4 Merge pull request #70 from fpapon/release-170
ed29cf5 is described below
commit ed29cf53a83c1f5e15ad1131bd5368ea7a0371d0
Author: Francois Papon <fr...@openobject.fr>
AuthorDate: Thu Oct 29 22:19:18 2020 +0100
Release Shiro 1.7.0
---
download.html.vtl | 56 ++++++++++++++++++++++++++++++++++++++++++--------
index.html | 8 ++++----
news.html | 33 +++++++++++++++++++++++++++++
security-reports.md | 19 +++++++++--------
templates/versions.vtl | 25 +++++++++++++++++++---
web.md.vtl | 49 +++++++++++++++++++++++++++++++------------
6 files changed, 154 insertions(+), 36 deletions(-)
diff --git a/download.html.vtl b/download.html.vtl
index 83384b5..7a81995 100644
--- a/download.html.vtl
+++ b/download.html.vtl
@@ -75,6 +75,14 @@
<li><a href="#previous">Previous Releases</a>
<ul>
+ <li><a href="#1.6.xBinary">$shiro16x.version</a></li>
+ <ul>
+ <li><a href="#1.6.xBinary">$shiro16x.version Binary Distribution</a></li>
+ <li><a href="#1.6.xSource">$shiro16x.version Source Code Distribution</a></li>
+ <li><a href="#1.6.xGit">$shiro16x.version Git Source repository</a></li>
+ </ul>
+ </ul>
+ <ul>
<li><a href="#1.5.xBinary">$shiro15x.version</a></li>
<ul>
<li><a href="#1.5.xBinary">$shiro15x.version Binary Distribution</a></li>
@@ -131,7 +139,7 @@
<p>
</p>
-#artifactTable($shiro16x)
+#artifactTable($shiro17x)
<h3><a name="latestSource"></a>${latestRelease} Source Code Distribution</h3>
@@ -155,7 +163,39 @@ git checkout shiro-root-${latestRelease} -b shiro-root-${latestRelease}
<h2><a name="previous"></a>Previous Releases</h2>
-<h3><a name="1.5.xBinary"></a>${shiro15x.version} Binary Distribution</h3>
+<h3><a name="1.6.xBinary"></a>${shiro16x.version} Binary Distribution</h3>
+
+<p>Associated documentation can be found <a href="documentation.html" title="Documentation">here</a></p>
+
+<p>To download the files directly as one .jar file just click the link in the "Artifact" column. If you would like
+ acquire Shiro through Maven, then please use the markup listed under "Maven Usage"</p>
+
+<p>
+</p>
+
+#artifactTable($shiro16x)
+
+<h3><a name="1.6.xSource"></a>${shiro16x.version} Source Code Distribution</h3>
+
+<p>The source bundle requires JDK 1.8 and Maven 3.0.3+ to build:</p>
+
+<p><a class="external-link" href="https://downloads.apache.org/shiro/${shiro16x.version}/shiro-root-${shiro16x.version}-source-release.zip">zip</a>
+ (<a class="external-link"
+ href="https://downloads.apache.org/shiro/${shiro16x.version}/shiro-root-${shiro16x.version}-source-release.zip.asc">pgp</a>, <a
+ class="external-link"
+ href="https://downloads.apache.org/shiro/${shiro16x.version}/shiro-root-${shiro16x.version}-source-release.zip.md5">md5</a>, <a
+ class="external-link"
+ href="https://downloads.apache.org/shiro/${shiro16x.version}/shiro-root-${shiro16x.version}-source-release.zip.sha512">sha512</a>)
+</p>
+
+<h3><a name="1.6.xGit"></a>${shiro16x.version} Git Source repository</h3>
+
+<p>The source can be cloned anonymously from Git with this command:</p>
+<pre><code class="bash">git clone https://github.com/apache/shiro.git
+git checkout shiro-root-${shiro16x.version} -b shiro-root-${shiro16x.version}
+</code></pre>
+
+<h3><a name="1.6.xBinary"></a>${shiro16x.version} Binary Distribution</h3>
<p>Associated documentation can be found <a href="documentation.html" title="Documentation">here</a></p>
@@ -171,23 +211,23 @@ git checkout shiro-root-${latestRelease} -b shiro-root-${latestRelease}
<p>The source bundle requires JDK 1.8 and Maven 3.0.3+ to build:</p>
-<p><a class="external-link" href="https://downloads.apache.org/shiro/${shiro14x.version}/shiro-root-${shiro15x.version}-source-release.zip">zip</a>
+<p><a class="external-link" href="https://downloads.apache.org/shiro/${shiro15x.version}/shiro-root-${shiro15x.version}-source-release.zip">zip</a>
(<a class="external-link"
- href="https://downloads.apache.org/shiro/${shiro14x.version}/shiro-root-${shiro15x.version}-source-release.zip.asc">pgp</a>, <a
+ href="https://downloads.apache.org/shiro/${shiro15x.version}/shiro-root-${shiro15x.version}-source-release.zip.asc">pgp</a>, <a
class="external-link"
- href="https://downloads.apache.org/shiro/${shiro14x.version}/shiro-root-${shiro15x.version}-source-release.zip.md5">md5</a>, <a
+ href="https://downloads.apache.org/shiro/${shiro15x.version}/shiro-root-${shiro15x.version}-source-release.zip.md5">md5</a>, <a
class="external-link"
- href="https://downloads.apache.org/shiro/${shiro14x.version}/shiro-root-${shiro15x.version}-source-release.zip.sha512">sha512</a>)
+ href="https://downloads.apache.org/shiro/${shiro15x.version}/shiro-root-${shiro15x.version}-source-release.zip.sha512">sha512</a>)
</p>
<h3><a name="1.5.xGit"></a>${shiro15x.version} Git Source repository</h3>
<p>The source can be cloned anonymously from Git with this command:</p>
<pre><code class="bash">git clone https://github.com/apache/shiro.git
-git checkout shiro-root-${shiro15x.version} -b shiro-root-${shiro14x.version}
+git checkout shiro-root-${shiro15x.version} -b shiro-root-${shiro15x.version}
</code></pre>
-<h3><a name="1.4.xBinary"></a>${shiro14x.version} Binary Distribution</h3>
+<h3><a name="1.5.xBinary"></a>${shiro15x.version} Binary Distribution</h3>
<p>Associated documentation can be found <a href="documentation.html" title="Documentation">here</a></p>
diff --git a/index.html b/index.html
index 4bf10f6..c015d29 100644
--- a/index.html
+++ b/index.html
@@ -26,6 +26,10 @@
<div class="panel-body">
<div>
<a href="news.html">Release</a>
+ <p><small>1.7.0 available with fix CVE-2020-17510 (2020-10-29)</small></p>
+ </div>
+ <div>
+ <a href="news.html">Release</a>
<p><small>1.6.0 available! (2020-8-17)</small></p>
</div>
<div>
@@ -40,10 +44,6 @@
<a href="news.html">Release</a>
<p><small>1.5.1 available! (2020-2-23)</small></p>
</div>
- <div>
- <a href="news.html">Release</a>
- <p><small>1.5.0 available! (2020-1-24)</small></p>
- </div>
</div>
</div>
diff --git a/news.html b/news.html
index 301f6e5..0a7b140 100644
--- a/news.html
+++ b/news.html
@@ -14,6 +14,39 @@ For more information on Shiro, please read the documentation.</p>
<div class="blog-post-listing">
<div class="logo-heading-block">
+ <a class="blogHeading" id="1.7.0-released" href="#1.7.0-released">Apache Shiro 1.7.0 Released</a>
+ </div>
+
+ <div class="news-content">
+ <p>The Shiro team is pleased to announce the release of Apache Shiro version 1.7.0. This is a feature release for 1.x.</p>
+
+ <p>This release includes 7 issues resolved since the 1.6.0 release and is available for Download now.</p>
+
+ <p>Of Note:
+ <ul>
+ <li>Disable session path rewriting by default.</li>
+ <li>Add system property to enable backslash path normalization.</li>
+ <li>DeleteMe cookie should use the defined "sameSite".</li>
+ <li>Also add cookie SameSite option to Spring.</li>
+ <li>SslFilter with HTTP Strict Transport Security (HSTS).</li>
+ </ul>
+
+ You can learn more on <a href="https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%201.7.0" target="_blank">Jira</a>
+ </p>
+
+ <p>Release binaries (.jars) are also available through Maven Central and source bundles through Apache distribution mirrors.</p>
+
+ <p>For more information on <a href="documentation.html">Shiro, please read the documentation.</a></p>
+
+ <p>Enjoy!</p>
+
+ <p>The Apache Shiro Team</p>
+ </div>
+</div>
+
+<div class="blog-post-listing">
+
+ <div class="logo-heading-block">
<a class="blogHeading" id="1.6.0-released" href="#1.6.0-released">Apache Shiro 1.6.0 Released</a>
</div>
diff --git a/security-reports.md b/security-reports.md
index 4e5c0d6..f49613f 100644
--- a/security-reports.md
+++ b/security-reports.md
@@ -25,26 +25,29 @@ A [more detailed description of the process](http://www.apache.org/security/comm
Apache Shiro Vulnerability Reports
----------------------------------
-###[CVE-2020-13933](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13933)
+###[CVE-2020-17510](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17510)
+Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
+
+###[CVE-2020-13933](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13933)
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
-###[CVE-2020-11989](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11989)
+###[CVE-2020-11989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11989)
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
-###[CVE-2020-1957](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1957)
+###[CVE-2020-1957](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1957)
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
-###[CVE-2019-12422](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12422)
+###[CVE-2019-12422](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12422)
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
-###[CVE-2016-6802](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6802)
+###[CVE-2016-6802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6802)
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
-###[CVE-2016-4437](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437)
+###[CVE-2016-4437](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437)
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
-###[CVE-2014-0074](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0074)
+###[CVE-2014-0074](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0074)
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
-###[CVE-2010-3863](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863)
+###[CVE-2010-3863](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863)
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
diff --git a/templates/versions.vtl b/templates/versions.vtl
index 47a520b..49fe115 100644
--- a/templates/versions.vtl
+++ b/templates/versions.vtl
@@ -1,5 +1,5 @@
-#set( $latestRelease = "1.6.0" )
-#set( $versionInfo = {"1.6.0": { "releaseDate": "2020-08-17" } } )
+#set( $latestRelease = "1.7.0" )
+#set( $versionInfo = {"1.7.0": { "releaseDate": "2020-10-29" } } )
#set( $shiroCore = {"g":"org.apache.shiro", "a": "shiro-core", "type": "jar",
"description": 'Required in all environments. <a class="external-link" href="http://slf4j.org/">Slf4j</a>''s
@@ -136,7 +136,26 @@
$shiroHasher
]} )
-#set( $shiro16x = {"version": $latestRelease, "artifacts": [
+#set( $shiro16x = {"version": "1.6.0", "artifacts": [
+ $shiroAll,
+ $shiroCore,
+ $shiroWeb,
+ $shiroServletPlugin,
+ $shiroJaxrs,
+ $shiroAspectJ,
+ $shiroCas,
+ $shiroEhCache,
+ $shiroHazelcast,
+ $shiroFeatures,
+ $shiroGuice,
+ $shiroQuartz,
+ $shiroSpring,
+ $shiroSpringBoot,
+ $shiroSpringBootWeb,
+ $shiroHasher
+]} )
+
+#set( $shiro17x = {"version": $latestRelease, "artifacts": [
$shiroAll,
$shiroCore,
$shiroWeb,
diff --git a/web.md.vtl b/web.md.vtl
index a98a94a..ca14731 100644
--- a/web.md.vtl
+++ b/web.md.vtl
@@ -9,22 +9,22 @@ Apache Shiro Web Support
* [`web.xml`](#Web-%7B%7Bweb.xml%7D%7D)
* [Shiro 1.2 and later](#Web-Shiro1.2andlater)
-
+
* [Custom `WebEnvironment` Class](#Web-Custom%7B%7BWebEnvironment%7D%7DClass)
* [Custom Configuration Locations](#Web-CustomConfigurationLocations)
-
+
* [Shiro 1.1 and earlier](#Web-Shiro1.1andearlier)
-
+
* [Custom Path](#Web-CustomPath)
* [Inline Config](#Web-InlineConfig)
-
+
* [Web INI configuration](#Web-WebINIconfiguration)
-
+
* [`[urls]`](#Web-%7B%7B%5Curls%5C%7D%7D)
-
+
* [URL Path Expressions](#Web-URLPathExpressions)
* [Filter Chain Definitions](#Web-FilterChainDefinitions)
-
+
* [Available Filters](#Web-AvailableFilters)
* [Default Filters](#Web-DefaultFilters)
@@ -34,20 +34,21 @@ Apache Shiro Web Support
* [Request-specific Enabling/Disabling](#Web-RequestspecificEnabling%2FDisabling)
* [Path-specific Enabling/Disabling](#Web-PathspecificEnabling%2FDisabling)
* [Global Filters](#Web-globalFilters)
+ * [HTTP Strict Transport Security (HSTS)](#Web-HSTS)
* [Session Management](#Web-SessionManagement)
* [Servlet Container Sessions](#Web-ServletContainerSessions)
-
+
* [Servlet Container Session Timeout](#Web-ServletContainerSessionTimeout)
-
+
* [Native Sessions](#Web-NativeSessions)
-
+
* [`DefaultWebSessionManager`](#Web-%7B%7BDefaultWebSessionManager%7D%7D)
-
+
* [Native Session Timeout](#Web-NativeSessionTimeout)
* [Session Cookie](#Web-SessionCookie)
-
+
* [Session Cookie Configuration](#Web-SessionCookieConfiguration)
* [Disabling the Session Cookie](#Web-DisablingtheSessionCookie)
@@ -66,7 +67,7 @@ Apache Shiro Web Support
* [The `authenticated` tag](#Web-The%7B%7Bauthenticated%7D%7Dtag)
* [The `notAuthenticated` tag](#Web-The%7B%7BnotAuthenticated%7D%7Dtag)
* [The `principal` tag](#Web-The%7B%7Bprincipal%7D%7Dtag)
-
+
* [Typed principal](#Web-Typedprincipal)
* [Principal property](#Web-Principalproperty)
@@ -495,6 +496,28 @@ invalidRequest.blockNonAscii = true
#info('Note', 'If you currently allowing URL rewriting to allow for a <code>jsessionid</code> in the URL, you must set <code>blockSemicolon</code> to <code>false</code>.<BR/><BR/>URL rewriting for <code>jsessionid</code> is defined in section "7.1.3" of the Java Servlet Specification, but it is generally NOT recommended.')
+<a name="Web-HSTS"></a>
+#[[###HTTP Strict Transport Security (HSTS)]]#
+
+The [SslFilter](static/current/apidocs/org/apache/shiro/web/filter/authz/SslFilter.html) (and all of its subclasses) supports enabling/disabling HTTP Strict Transport Security (HSTS).
+
+For example, in shiro.ini:
+
+``` ini
+[main]
+...
+# configure Shiro's default 'ssl' filter to enabled HSTS:
+ssl.enabled = true
+ssl.hsts.enabled = true
+ssl.hsts.includeSubDomains = true
+
+[urls]
+...
+/some/path = ssl, authc
+/another/path = ssl, roles[admin]
+...
+```
+
<a name="Web-sessionManagement"></a>
<a name="Web-SessionManagement"></a>
Session Management