[ZEPPELIN-6528] Upgrade Apache Shiro from 1.13.0 to 2.0.6#5293
Open
ParkGyeongTae wants to merge 1 commit into
Open
[ZEPPELIN-6528] Upgrade Apache Shiro from 1.13.0 to 2.0.6#5293ParkGyeongTae wants to merge 1 commit into
ParkGyeongTae wants to merge 1 commit into
Conversation
- Bump shiro.version from 1.13.0 to 2.0.6 in pom.xml - Bump bouncycastle.version from 1.80 to 1.82 to resolve dependency convergence conflict introduced by shiro-crypto-hash:2.0.6 - Replace removed DefaultLdapContextFactory with JndiLdapContextFactory in ActiveDirectoryGroupRealm - Update StringUtils import from org.apache.shiro.util to org.apache.shiro.lang.util in LdapRealm - Update ShiroException import to org.apache.shiro.lang.ShiroException in LdapRealm - Update LifecycleUtils import from org.apache.shiro.util to org.apache.shiro.lang.util in AbstractShiroTest and ShiroAuthenticationServiceTest
bc37963 to
2b3d930
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR for?
Upgrades Apache Shiro from 1.13.0 to 2.0.6, the current stable release line with active security patches. Shiro 2.x strengthens default password hashing (Argon2id instead of MD5) and provides Jakarta EE 10 support, which aligns with the jakarta.* namespace already in use by this project.
This PR also resolves a transitive BouncyCastle version conflict introduced by shiro-crypto-hash:2.0.6 pulling in bcprov-jdk18on:1.82, and fixes the two compile-breaking API changes between Shiro 1.x and 2.x.
What type of PR is it?
Improvement
Todos
What is the Jira issue?
How should this be tested?
./mvnw compile -pl zeppelin-server -am -DskipTests
./mvnw test -pl zeppelin-server -Dtest="ShiroAuthenticationServiceTest,LdapRealmTest,LdapRealmDnInjectionTest,AnyOfRolesUserAuthorizationFilterTest"
Screenshots (if appropriate)
N/A
Questions: