Conversation
github-actions
Bot
added
github_actions
…ded to be immutable; provide an immutable implementation including a builder class; deprecate the mutable implementation; use the immutable one in SimpleAuthenticationInfo for merging. Background: Merging AuthenticationInfo and the contained PrincipalCollections previously lead to one of the involved PrincipalCollections be selected by undefined means and being mutated, propagating the changes to other callers that did not expect such changes, including the authentication cache.
* chore(3.x): Migrate to jakarta EE 10 using OpenRewrite * chore(3.x): Remove the jakarta classifier from shiro artifacts * chore(3.x): Address checkstyle issues post-migration * chore(3.x): Remove `HttpSessionContext` references * chore(3.x): Remove duplicate jakarta jax-rs imports * chore(3.x): Temporarily disable some modules/samples * Revert "chore(3.x): Temporarily disable some modules/samples" This reverts commit 71de7ba. --------- Co-authored-by: lprimak <lenny@flowlogix.com>
* Update to 3.0.0 Includes version bumps: - Java: 11 -> 17 - Ehcache: 2.6 -> 3.10 - Guice: 6 -> 7 - Jetty: 9.4.56.v2024.. -> 12.0 - `org.eclipse.jetty` -> `org.eclipse.jetty.ee10` - Jakarta EE: 8 -> 10 - Activation: 1.2 -> 2.1 - Annotation: 1.3 -> 2.1 - Enterprise CDI API: 2.0 -> 4.0 - JSON API: 1.1 -> 2.1 - JSON Bind: 1.0 -> 3.0 - Servlet: 4.0 -> 6.0 - Servlet JSP API: 2.2 -> 3.1 - Validation API: 2.0 -> 3.0 - WS RS API: 2.1 -> 3.1 - XML Bind: 2.3 -> 4.0 - Omnifaces: 4.6.1 - CXF RT Client: 3.6 -> 4.0 - Glassfish JAXB RT: 2.3 -> 4.0 - Spring: 5.3 -> 6.2 - Spring Boot: 2.7 -> 3.4 - Hibernate: 5.6 -> 6.6 (sample project) Concerns: - Ehcache migration most certainly needs revision - CI untested (specially Jenkins CD) - `flowlogix`, `omnifaces`, and a few other libs I have no knowledge of, certainly need attention - Spring remoting seems to have been dropped from Spring Context, not sure if replaceable Known issues: - No immediate suitable replacement for `org.eclipse.jetty:apache-jstl` - Ehcache 3.10 is pulling earlier version of jaxb runtime -> conflicting - Added exclusion to circumvent woes - Some web integration tests aren't up to speed - Embedded jetty-based ITs fail, server reports 503 - Arquillian IT fails - Meecrowave support missing (solved in unreleased 2.0.0?) * Remove lingering guice3 IT pom.xml * Suppress unchecked cast warning * Revert ill merge in test case * Properly disable meecrowave-based IT * Remove Shiro Spring remoting test * Remove lingering jetty injection argument from IT test case * Restore dependency details lost in translation * Remove stray type for runtime type inference / reification attempt Shouldn't have included this 🤦 This was a miserable attempt to obtain the concrete `Class<?>` instance for the request key and value types for caches. Please excuse my desperation. * fix(lang): Fix resource retrieval as URL instead of stream * fix: Fix typos in schema locations Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix(javadoc): Fix jakarta servlet javadoc reference * jakarta-related cleanup * fixed ehcache.xml --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: lprimak <lenny@flowlogix.com>
…hain (#2461) * enh: Adds default NoAccess configuration to the default filter chain * added feature flag * chore: javax -> jakarta --------- Co-authored-by: Brian Demers <bdemers@apache.org>
* SHIRO #1585 - Jakarta namespaces - WIP - compiles, TESTS FAIL Also addresses #1629 and #2006 since Guice moves to 7.0.0 (EE9), Spring moves to 6.1.17 (EE10) and spring boot moves to 3.0.13 (EE10) Stuck on spring-boot autowire test. Also EasyMock -> 5.5 to support modern java class file formats Since Spring forces Java 17 * SHIRO #1585 - builds and all but 13 integration tests pass. Failures seem to center around test harness construction (marked with @disabled ) * fix: revert unnecessary changes * more reverts * more reverts * review comment * fixed compilation error * more reverts --------- Co-authored-by: lprimak <lenny@flowlogix.com>
lprimak
requested review from
bdemers,
bmarwell,
boris-petrov,
fpapon,
jbonofre and
steinarb
|
I realize that this is way too much to review line-by-line. |
| - package-ecosystem: 'maven' | ||
| directory: '/' | ||
| schedule: | ||
| interval: 'weekly' |
There was a problem hiding this comment.
Just out of curiosity: why weekly
FWIW I have daily on my dependabot workflows (probably because that was in the examples I started out with).
There was a problem hiding this comment.
Daily just produces too many PRs, too many workflow runs, just too much stuff to deal with on daily basis.
There was a problem hiding this comment.
(hm... good point on the many PRs bit. At least for npm upgrades (of which shiro probably has none). Maybe I should move to weekly in my own stuff for the npm upgrades)
| @@ -1,128 +0,0 @@ | |||
| <?xml version="1.0" encoding="UTF-8"?> | |||
There was a problem hiding this comment.
Does this mean no shiro BOM anymore? Or has it been moved? Or is it autogenerated by the release process?
There was a problem hiding this comment.
Yup. No Shiro BOM. It's no longer necessary since javax support was removed. Just a simple dependency will work now. No tricks :)
| Set<String> values = new HashSet<String>(); | ||
| NamingEnumeration ne = null; | ||
| Set<String> values = new HashSet<>(); | ||
| NamingEnumeration<?> ne = null; |
There was a problem hiding this comment.
(but here you can't use var since you need to type the null in ne)
| public static Collection<String> getAllAttributeValues(Attribute attr) throws NamingException { | ||
| Set<String> values = new HashSet<String>(); | ||
| NamingEnumeration ne = null; | ||
| Set<String> values = new HashSet<>(); |
There was a problem hiding this comment.
Since you're moving to new syntax anyway: why not var for all local variables where it is possible to use it?
Would be like this then:
var values = new HashSet<String>();
There was a problem hiding this comment.
For example, here we want to use base class Set<> instead of HasSet<> hence, var would change functionality, so var is (arguably) not appropriate here
| Object primary = null; | ||
| if (!isEmpty(principals)) { | ||
| Collection thisPrincipals = principals.fromRealm(getName()); | ||
| Collection<?> thisPrincipals = principals.fromRealm(getName()); |
There was a problem hiding this comment.
But this one could probably use var and you could maybe also remove Collection from the imports (if not used directly in your code).
| */ | ||
| package org.apache.shiro.aop; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; |
| protected Class getMethodArgumentType(Method method) { | ||
| Class[] paramTypes = method.getParameterTypes(); | ||
| protected Class<?> getMethodArgumentType(Method method) { | ||
| Class<?>[] paramTypes = method.getParameterTypes(); |
There was a problem hiding this comment.
one place where var could be used
| pc.add(5, getName()); | ||
| pc.add(new PropertyPrincipal(username), getName()); | ||
| account = new SimpleAccount(pc, password, getName()); | ||
| var principalBuilder = new ImmutablePrincipalCollection.Builder(); |
There was a problem hiding this comment.
var was introduced in JDK 11 so "var everywhere" isn't really in scope here since this is upgrade 11->17.
Also I am not a big fan of var everywhere, but of course it's useful in some places.
| @@ -57,7 +57,9 @@ public boolean accept(File dir, String name) { | |||
| } | |||
| }); | |||
|
|
|||
| assertEquals(1, warFiles.length, "Expected only one war file in target directory, run 'mvn clean' and try again"); | |||
| assertThat(warFiles.length) | |||
There was a problem hiding this comment.
Why not hasSize(1)? Should work even if this is an array?
There was a problem hiding this comment.
Feel free to change that once this is merged... great idea! This was done with an OpenRewrite recipe I guess it missed it :)
steinarb
left a comment
steinarb
left a comment
There was a problem hiding this comment.
LGTM! 👍
(Man!! That was massive!)
|
2+ years of work :) |
|
Many contributors and ecosystem contributions! |
7 participants
Minimum runtime Requirements:
Minimum build requirements:
Breaking Changes:
PrincipalCollectionimmutable (ImmutablePrincipalCollection)Security improvements:
Other Changes:
MergableAuthenticationInfoclassShiroFilterFactoryBeanPostProcessorto fix post processing warnings in SpringRemovals of deprecated artifacts
SimplePrincipalCollectionclassRandomSessionIdGeneratorclassHttpSessionContextclassJavaEnvironmentclassXmlSerializer.javaclassJakartaTransformerclass and it'sjakartify()methodShiroUrlPathHelperclassShiroRequestMappingConfigclassfixes #1584
Following this checklist to help us incorporate your contribution quickly and easily:
for the change (usually before you start working on it). Trivial changes like typos do not
require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
[#XXX] - Fixes bug in SessionManager,where you replace
#XXXwith the appropriate GitHub issue. Best practiceis to use the GitHub issue title in the pull request title and in the first line of the commit message.
fixes #XXXif merging the PR should close a related issue.mvn verifyto make sure basic checks pass. A more thorough check will be performed on your pull request automatically.Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like
[DOC] - Add javadoc in SessionManager.If this is your first contribution, you have to read the Contribution Guidelines
If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.
To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.