Skip to content

[ZEPPELIN-6528] Upgrade Apache Shiro from 1.13.0 to 2.0.6#5293

Open
ParkGyeongTae wants to merge 1 commit into
apache:masterfrom
ParkGyeongTae:ZEPPELIN-6528
Open

[ZEPPELIN-6528] Upgrade Apache Shiro from 1.13.0 to 2.0.6#5293
ParkGyeongTae wants to merge 1 commit into
apache:masterfrom
ParkGyeongTae:ZEPPELIN-6528

Conversation

@ParkGyeongTae

Copy link
Copy Markdown
Member

What is this PR for?

Upgrades Apache Shiro from 1.13.0 to 2.0.6, the current stable release line with active security patches. Shiro 2.x strengthens default password hashing (Argon2id instead of MD5) and provides Jakarta EE 10 support, which aligns with the jakarta.* namespace already in use by this project.

This PR also resolves a transitive BouncyCastle version conflict introduced by shiro-crypto-hash:2.0.6 pulling in bcprov-jdk18on:1.82, and fixes the two compile-breaking API changes between Shiro 1.x and 2.x.

What type of PR is it?

Improvement

Todos

  • Bump shiro.version 1.13.0 → 2.0.6 in pom.xml
  • Bump bouncycastle.version 1.80 → 1.82 to resolve DependencyConvergence conflict
  • Replace removed DefaultLdapContextFactory with JndiLdapContextFactory in ActiveDirectoryGroupRealm
  • Update StringUtils import to org.apache.shiro.lang.util in LdapRealm
  • Update LifecycleUtils import to org.apache.shiro.lang.util in AbstractShiroTest and ShiroAuthenticationServiceTest

What is the Jira issue?

How should this be tested?

  1. Build zeppelin-server module:
    ./mvnw compile -pl zeppelin-server -am -DskipTests
  2. Run Shiro-related unit tests:
    ./mvnw test -pl zeppelin-server -Dtest="ShiroAuthenticationServiceTest,LdapRealmTest,LdapRealmDnInjectionTest,AnyOfRolesUserAuthorizationFilterTest"
  3. Manually verify form login, LDAP authentication flows remain functional.

Screenshots (if appropriate)

N/A

Questions:

  • Does the license files need to update? No
  • Is there breaking changes for older versions? No — API-level changes are confined to internal realm and test infrastructure classes.
  • Does this needs documentation? No

- Bump shiro.version from 1.13.0 to 2.0.6 in pom.xml
- Bump bouncycastle.version from 1.80 to 1.82 to resolve
  dependency convergence conflict introduced by shiro-crypto-hash:2.0.6
- Replace removed DefaultLdapContextFactory with JndiLdapContextFactory
  in ActiveDirectoryGroupRealm
- Update StringUtils import from org.apache.shiro.util to
  org.apache.shiro.lang.util in LdapRealm
- Update ShiroException import to org.apache.shiro.lang.ShiroException
  in LdapRealm
- Update LifecycleUtils import from org.apache.shiro.util to
  org.apache.shiro.lang.util in AbstractShiroTest and
  ShiroAuthenticationServiceTest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant