Apache Shiro 2.2.0 has been available since May 26, 2026. 🚀
Not the kind of release that should be sold as “magic security”.
More like: a maintenance and hardening release for a Java security framework that still deserves attention.
🔸 TLDR
▪️ Apache Shiro 2.2.0 is a maintenance release.
▪️ It brings bug fixes, improvements and dependency updates.
▪️ It also continues the security hardening around web/Jakarta EE usage.
▪️ If you use shiro-jakarta-ee, check the latest 2.2.x patch level, not only 2.2.0.
🔸 WHAT IS APACHE SHIRO?
Apache Shiro is a Java security framework focused on:
▪️ Authentication: who are you?
▪️ Authorization: what are you allowed to do?
▪️ Cryptography: how do we protect sensitive data?
▪️ Session management: how do we manage user state?
Its goal is to give developers a simple API for common security concerns without forcing every application into the same architecture.
🔸 FEATURE 1: AUTHENTICATION
Subject user = SecurityUtils.getSubject(); if (!user.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken(username, password); user.login(token); }
This shows the core Shiro login flow: get the current Subject, create an authentication token, then ask Shiro to authenticate it through the configured Realm.
🔸 FEATURE 2: AUTHORIZATION
if (user.hasRole("admin") && user.isPermitted("invoice:create")) { createInvoice(); }
Shiro supports role checks and fine-grained permission checks, so access control can be expressed close to the business action being protected.
🔸 FEATURE 3: SESSION MANAGEMENT
Session session = user.getSession();
session.setAttribute("cartId", cartId);
user.logout();Shiro sessions can be used through a consistent API, and logout removes identity information while invalidating the user session.
🔸 WHAT 2.2.0 BRINGS
▪️ Maintenance fixes 🧰 Bug fixes, small improvements and dependency updates.
▪️ Dependency refreshes 📦 Updates across logging, web, testing, build and infrastructure dependencies.
▪️ Security hardening 🔐 The 2.2.0 line includes fixes around session fixation, secure cookie defaults and Jakarta EE saved-request handling.
▪️ Better project hygiene 🧹 More checks around formatting, markdown, YAML, spelling, pre-commit hooks and CI workflows.
▪️ New contributor 👏 Another reminder that open source evolves because people contribute.
🔸 WHEN DO I NEED IT?
You may need Apache Shiro when:
▪️ You want authentication and authorization without adopting the full Spring Security ecosystem.
▪️ You work on a plain Java, Jakarta EE, CLI, batch, legacy or non-Spring application.
▪️ You need a simple security model based on Subject, Realm, Role, Permission and Session.
▪️ You want security to stay explicit and readable in the codebase.
▪️ You need to integrate your own identity source: database, LDAP, custom user store or external system.
Shiro is not “better than Spring Security”. It is useful when you need a lightweight, flexible and framework-agnostic security layer. 🛡️
🔸 WHAT IS THE EQUIVALENT IN THE SPRING ECOSYSTEM?
The closest equivalent is Spring Security.
In practice:
▪️ Authentication / authorization → Spring Security
▪️ Session management → Spring Session
▪️ OAuth2 / OpenID Connect login → Spring Security OAuth2 support
▪️ Building an OAuth2 / OpenID Connect authorization server → Spring Authorization Server
So, if you are building a Spring Boot application, Spring Security is usually the default choice.
If you are outside Spring, or you want a smaller framework-agnostic security API, Apache Shiro can be a relevant option.
🔸 CAN SHIRO BE USED WITH SPRING BOOT?
Yes, Apache Shiro can be used with Spring Boot. ✅
For a web application, you can add the Shiro Spring Boot web starter:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>2.2.0</version>
</dependency>Then you configure your Realm, filters, roles and permissions.
But there is an important nuance:
▪️ In a classic Spring Boot application, Spring Security is usually the default choice.
▪️ Shiro can make sense if you already use Shiro, migrate a legacy app, or prefer its Subject / Realm / Permission model.
▪️ For a greenfield Spring Boot project, I would first evaluate Spring Security before choosing Shiro.
So yes, Shiro works with Spring Boot.
But the real question is not “Can I?” It is: “Do I have a good reason not to use Spring Security here?” 🤔
🔸 IMPORTANT SECURITY NOTE
Because Shiro is a security framework, version numbers matter.
If you are using shiro-jakarta-ee, do not stop at “2.2.0 exists”.
Check whether you should move to 2.2.1 or later, especially because CVE-2026-48589 affects shiro-jakarta-ee up to 2.2.0.
Security updates are not marketing. They are maintenance work that protects real applications.
🔸 TAKEAWAYS
▪️ Apache Shiro is still relevant for Java security use cases.
▪️ Its API remains easy to understand: Subject, Realm, Role, Permission, Session.
▪️ 2.2.0 is not a “big shiny feature” release.
▪️ It is a “keep your security stack clean” release.
▪️ Always read the security notes before upgrading a security library.
Security frameworks are not only about adding protection.
They are also about reducing surprises. 🛡️
#Java #ApacheShiro #CyberSecurity #ApplicationSecurity #JavaSecurity #OpenSource #JakartaEE #BackendDevelopment #SoftwareEngineering #SecureCoding
Go further with Java certification:
Java👇
Spring👇
SpringBook👇
JavaBook👇
Apache Shiro has some unique features as well:
- Framework independent distributed sessions
- Transparent form input preservation across session expiration and login
- Wildcard permissions
- Full Spring and Jakarta EE integration
- Much easier to use than both Spring and Jakarta EE security
Thank you Vince for the mention!
Available support by Flow Logix, Inc and Yupiik