Apache Shiro 1.2.4 发布了，改进记录包括：

Bug

• [SHIRO-421] - Unable to set long timeouts on HttpServletSession

• [SHIRO-442] - CAS client fails with multi-valued SAML attributes

• [SHIRO-444] - Rewrite AuthorizingRealm, and configure the cacheManager throws an exception

• [SHIRO-462] - Authentication exceptions are swallowed

• [SHIRO-483] - passwordsMatch() returns false with right plain password-encrypted password in JVM with default locale tr_TR

• [SHIRO-517] - Caused by: java.lang.NoClassDefFoundError: Lcom/google/inject/internal/util/$ImmutableList;

• [SHIRO-518] - Shiro-CAS: Security Problem in cas-client-core versions older than 3.3.2

Documentation

• [SHIRO-534] - Provide better documentation around permissions

Improvement

• [SHIRO-332] - Change access level of method 'isPermitted' in org.apache.shiro.realm.AuthorizingRealm (line 461) from private to protected

• [SHIRO-428] - AuthorizingRealm "no cache" logging should be at DEBUG level, not INFO, OR is should log only once

• [SHIRO-465] - Support externalized principal mapping in AuthenticatingRealm and ModularRealmAuthenticator

• [SHIRO-479] - update ehcache dependency

• [SHIRO-496] - Update shior.guice dependency

• [SHIRO-498] - ThreadLocal should not be created when not necessary

• [SHIRO-499] - Kerberos Realm

• [SHIRO-504] - Java 8 support

New Feature

• [SHIRO-445] - Mechanism needed to secure passwords in shiro.ini

• [SHIRO-464] - Support role mapping similar to PermissionResolver and RolePermissionResolver

• [SHIRO-501] - Add ability to set system properties in shiro.ini