-
Classes Class Description org.apache.shiro.authc.credential.Md2CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.authc.credential.Md5CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.authc.credential.Sha1CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.authc.credential.Sha256CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.authc.credential.Sha384CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.authc.credential.Sha512CredentialsMatcher since 1.1 - use the HashedCredentialsMatcher directly and set itshashAlgorithmName
property.org.apache.shiro.config.IniFactorySupport use Shiro'sEnvironment
mechanisms instead.org.apache.shiro.config.IniSecurityManagerFactory use Shiro'sEnvironment
mechanisms instead.org.apache.shiro.realm.ldap.DefaultLdapContextFactory replaced by theJndiLdapContextFactory
implementation. This implementation will be removed prior to Shiro 2.0org.apache.shiro.realm.ldap.JndiLdapRealm Renamed toDefaultLdapRealm
, this class will be removed prior to 2.0org.apache.shiro.util.JavaEnvironment This class is no longer used in Shiro and will be removed in the next major version.
-
Methods Method Description org.apache.shiro.authc.credential.HashedCredentialsMatcher.getSalt(AuthenticationToken) since Shiro 1.1. Hash salting is now expected to be based on if theAuthenticationInfo
returned from theRealm
is aSaltedAuthenticationInfo
instance and itsgetCredentialsSalt()
method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if theRealm
does not returnSaltedAuthenticationInfo
instances, but it is highly recommended thatRealm
implementations that support hashed credentials start returningSaltedAuthenticationInfo
instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.org.apache.shiro.authc.credential.HashedCredentialsMatcher.isHashSalted() since Shiro 1.1. Hash salting is now expected to be based on if theAuthenticationInfo
returned from theRealm
is aSaltedAuthenticationInfo
instance and itsgetCredentialsSalt()
method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if theRealm
does not returnSaltedAuthenticationInfo
instances, but it is highly recommended thatRealm
implementations that support hashed credentials start returningSaltedAuthenticationInfo
instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.org.apache.shiro.authc.credential.HashedCredentialsMatcher.setHashSalted(boolean) since Shiro 1.1. Hash salting is now expected to be based on if theAuthenticationInfo
returned from theRealm
is aSaltedAuthenticationInfo
instance and itsgetCredentialsSalt()
method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if theRealm
does not returnSaltedAuthenticationInfo
instances, but it is highly recommended thatRealm
implementations that support hashed credentials start returningSaltedAuthenticationInfo
instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.org.apache.shiro.mgt.DefaultSecurityManager.bind(Subject) in favor ofsave(subject)
.org.apache.shiro.mgt.DefaultSecurityManager.unbind(Subject) in Shiro 1.2 in favor ofDefaultSecurityManager.delete(org.apache.shiro.subject.Subject)
org.apache.shiro.mgt.DefaultSubjectFactory.newSubjectInstance(PrincipalCollection, boolean, String, Session, SecurityManager) since 1.2 - overrideDefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)
directly if you need to instantiate a customSubject
class.org.apache.shiro.realm.ldap.DefaultLdapContextFactory.getLdapContext(String, String) theDefaultLdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than String principals and credentials can be used. Shiro no longer calls this method - it will be removed before the 2.0 release.org.apache.shiro.realm.ldap.DefaultLdapContextFactory.setSearchBase(String) this attribute existed, but was never used in Shiro 1.x. It will be removed prior to Shiro 2.0.org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(String, String) theJndiLdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than String principals and credentials can be used. Shiro no longer calls this method - it will be removed before the 2.0 release.org.apache.shiro.realm.ldap.LdapContextFactory.getLdapContext(String, String) theLdapContextFactory.getLdapContext(Object, Object)
method should be used in all cases to ensure more than String principals and credentials can be used.org.apache.shiro.util.CollectionUtils.isEmpty(PrincipalCollection) Use PrincipalCollection.isEmpty() directly.
-
Constructors Constructor Description org.apache.shiro.UnavailableSecurityManagerException(String, Throwable) This constructor is NOT used by Shiro directly, and will be removed in the future.