• JDK 17
• Jakarta EE 9/10/11+ (no javax.* namespace)
• Spring 6/7+ and SpringBoot 3/4+
• Guice 7/8+

Breaking Changes:

• Made default implementation of PrincipalCollection immutable (ImmutablePrincipalCollection)

Security improvements:

• Case-insensitive path matching is now enabled by default (hardened by default)
• Added NoAccessFilter and add it to the default filter chain (breaking change, hardened-by-default)
• [#2799] enh: warn if realm authentication fails by @lprimak in https://github.com/apache/shiro/pull/2798
• Web RememberMe and Guice Enhancements by @lprimak in https://github.com/apache/shiro/pull/2800
• Enable CORS preflight requests by default

Other Changes:

• Modernized Java code to JDK 17 baseline
• Added fluent API in MergableAuthenticationInfo class
• Improved thread-safety of Shiro-native sessions (SimpleSession, SimpleSessionFactory, CachingSessionDAO)
• Multi-Release JAR in order to support different JDK version levels, and JDK 25 Scoped values
• Using Java Scoped for Subject and SecurityManager instead of ThreadLocals on JDK 25+
• Separated out ShiroFilterFactoryBeanPostProcessor to fix post processing warnings in Spring
• Using AssertJ for testing

Removals of deprecated artifacts

• Removed Shiro BOM - no longer necessary
• Removed EhCache module in favor of JCache
• Removed Hazelcast module in favor of JCache
• Removed deprecated SimplePrincipalCollection class
• Removed deprecated RandomSessionIdGenerator class
• Removed deprecated HttpSessionContext class
• Removed deprecated JavaEnvironment class
• Removed deprecated XmlSerializer.java class
• Removed JakartaTransformer class and it's jakartify() method
• Removed Spring/Boot ShiroUrlPathHelper class
• Removed Spring/Boot's remoting support
• Removed Spring/Boot deprecated ShiroRequestMappingConfig class
• Removed samples and tests associated with deprecated modules

• JDK 21 (JDK 25 required to release)
• Jakarta EE 11 (build-time default)
• Spring 7/SpringBoot 4 (build-time default)
• Guice 8 (build-time default)

• [#1584] Merge 3.x branch into main by @lprimak in https://github.com/apache/shiro/pull/2772

Full Changelog: https://github.com/apache/shiro/compare/shiro-root-2.2.1...shiro-root-3.0.0

• d4832d7: [build] Automated Browser Version Update (#17694) (Selenium CI Bot) #17694

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.357...7.21.0-rc.358

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.356...7.21.0-rc.357

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.355...7.21.0-rc.356

• 54ad310: [build] Automated Browser Version Update (#17687) (Selenium CI Bot) #17687
• d770acb: [rust] Support pbzx-compressed macOS .pkg payloads (#17691) (David Burns) #17691
• d0f9c6d: [java] Mark all current BiDi related classes beta (#17690) (Puja Jagani) #17690
• cc12664: [build] Upgrade rules_rs to 0.0.92 (#17688) (David Burns) #17688
• 8de8692: [ci] Ignore changes in docs/decisions directory for pull requests (#17693) (Diego Molina) #17693

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.354...7.21.0-rc.355

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.353...7.21.0-rc.354

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.352...7.21.0-rc.353

• 719cd30: [docs] add design decision record process and template (#17665) (Titus Fortner) #17665