Merge branch 'main' into 3.x-jakarta-ee10

Author: rgcv

.github/dependabot.yml

@@ -16,22 +16,13 @@
 # under the License.
 
 version: 2
-# Add Maven Central explicitly to work around:
-#   https://github.com/dependabot/dependabot-core/issues/8329
-registries:
-  maven-central:
-    type: maven-repository
-    url: https://repo.maven.apache.org/maven2
-
 updates:
   # Dependencies for Maven
   - package-ecosystem: 'maven'
     directory: '/'
     schedule:
       interval: 'daily'
     open-pull-requests-limit: 50
-    registries:
-      - maven-central
     ignore:
       - dependency-name: "jakarta.platform:*"
         update-types: [ "version-update:semver-major" ]
@@ -82,8 +73,6 @@ updates:
     schedule:
       interval: 'daily'
     open-pull-requests-limit: 50
-    registries:
-      - maven-central
     ignore:
       - dependency-name: "jakarta.servlet.*:*"
         update-types: [ "version-update:semver-major" ]

.github/workflows/codeql.yml

@@ -63,15 +63,15 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Cache local Maven repository
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf #v4.2.2
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -96,6 +96,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/maven.yml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: 17
           distribution: temurin
@@ -83,7 +83,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: ${{ matrix.jdk }}
           distribution: ${{ matrix.dist }}
@@ -101,7 +101,7 @@ jobs:
           -Pskip_jakarta_ee_tests
 
       - name: Archive test run logs
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: test-logs-${{ matrix.os }}-${{ matrix.jdk }}-${{ matrix.dist }}

.github/workflows/scorecards.yml

@@ -66,14 +66,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # tag=v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d #tag=v2
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b #tag=v2
         with:
           sarif_file: results.sarif

.github/workflows/stale.yml

@@ -34,7 +34,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close Stale Issues
-        uses: actions/stale@v9
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # default is 60
           days-before-stale: 90
+          exempt-issue-labels: valid
+          exempt-pr-labels: valid

README.md

@@ -2,7 +2,7 @@
 
 [![Maven Central](https://img.shields.io/maven-central/v/org.apache.shiro/shiro-core)](https://central.sonatype.com/artifact/org.apache.shiro/shiro-core/)
 [![Build Status](https://ci-builds.apache.org/buildStatus/icon?job=Shiro%2FShiro-all%2Fmain)](https://ci-builds.apache.org/job/Shiro/job/Shiro-all/job/main/)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/apache/shiro/badge)](https://api.securityscorecards.dev/projects/github.com/apache/shiro)
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/apache/shiro?style=plastic&label=openssf%20scorecard)](https://deps.dev/project/github/apache%2Fshiro)
 [![Reproducible Builds](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/jvm-repo-rebuild/reproducible-central/master/content/org/apache/shiro/badge.json)](https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/shiro/README.md)
 
 Apache Shiro

core/src/main/java/org/apache/shiro/mgt/AbstractRememberMeManager.java

@@ -29,6 +29,7 @@
 import org.apache.shiro.lang.io.Serializer;
 import org.apache.shiro.lang.util.ByteSource;
 import org.apache.shiro.lang.util.ByteUtils;
+import org.apache.shiro.lang.util.ClassUtils;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.SubjectContext;
@@ -509,7 +510,12 @@ protected byte[] decrypt(byte[] encrypted) {
      * @return the serialized principal collection in the form of a byte array
      */
     protected byte[] serialize(PrincipalCollection principals) {
-        return getSerializer().serialize(principals);
+        ClassUtils.setAdditionalClassLoader(AbstractRememberMeManager.class.getClassLoader());
+        try {
+            return getSerializer().serialize(principals);
+        } finally {
+            ClassUtils.removeAdditionalClassLoader();
+        }
     }
 
     /**
@@ -520,7 +526,12 @@ protected byte[] serialize(PrincipalCollection principals) {
      * @return the deserialized (reconstituted) {@code PrincipalCollection}
      */
     protected PrincipalCollection deserialize(byte[] serializedIdentity) {
-        return getSerializer().deserialize(serializedIdentity);
+        ClassUtils.setAdditionalClassLoader(AbstractRememberMeManager.class.getClassLoader());
+        try {
+            return getSerializer().deserialize(serializedIdentity);
+        } finally {
+            ClassUtils.removeAdditionalClassLoader();
+        }
     }
 
     /**

core/src/main/java/org/apache/shiro/realm/AuthenticatingRealm.java

@@ -391,7 +391,7 @@ public boolean supports(AuthenticationToken token) {
      * @since 1.2
      */
     public final void init() {
-        //trigger obtaining the authorization cache if possible
+        //trigger obtaining the authentication cache if possible
         getAvailableAuthenticationCache();
         onInit();
     }
@@ -411,7 +411,7 @@ protected void onInit() {
      * @since 1.2
      */
     protected void afterCacheManagerSet() {
-        //trigger obtaining the authorization cache if possible
+        //trigger obtaining the authentication cache if possible
         getAvailableAuthenticationCache();
     }
 
@@ -485,9 +485,9 @@ private AuthenticationInfo getCachedAuthenticationInfo(AuthenticationToken token
             Object key = getAuthenticationCacheKey(token);
             info = cache.get(key);
             if (info == null) {
-                LOGGER.trace("No AuthorizationInfo found in cache for key [{}]", key);
+                LOGGER.trace("No AuthenticationInfo found in cache for key [{}]", key);
             } else {
-                LOGGER.trace("Found cached AuthorizationInfo for key [{}]", key);
+                LOGGER.trace("Found cached AuthenticationInfo for key [{}]", key);
             }
         }
 
@@ -677,7 +677,7 @@ private static boolean isEmpty(PrincipalCollection pc) {
      * {@link #clearCache(org.apache.shiro.subject.PrincipalCollection)} method instead (which will in turn call this
      * method by default).
      *
-     * @param principals the principals of the account for which to clear the cached AuthorizationInfo.
+     * @param principals the principals of the account for which to clear the cached AuthenticationInfo.
      * @see #clearCache(org.apache.shiro.subject.PrincipalCollection)
      * @since 1.2
      */

core/src/main/java/org/apache/shiro/session/mgt/AbstractValidatingSessionManager.java

@@ -140,10 +140,18 @@ protected void validate(Session session, SessionKey key) throws InvalidSessionEx
         try {
             doValidate(session);
         } catch (ExpiredSessionException ese) {
-            onExpiration(session, ese, key);
+            try {
+                onExpiration(session, ese, key);
+            } catch (IllegalStateException eise) {
+                LOGGER.trace("Attempting to validate an expired session with key {}", key, eise);
+            }
             throw ese;
         } catch (InvalidSessionException ise) {
-            onInvalidation(session, ise, key);
+            try {
+                onInvalidation(session, ise, key);
+            } catch (IllegalStateException eise) {
+                LOGGER.trace("Attempting to validate session with key {}", key, eise);
+            }
             throw ise;
         }
     }

core/src/main/java/org/apache/shiro/util/ThreadContext.java

@@ -60,7 +60,7 @@ public abstract class ThreadContext {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ThreadContext.class);
 
-    private static final ThreadLocal<Map<Object, Object>> RESOURCES = new InheritableThreadLocalMap<Map<Object, Object>>();
+    private static final ThreadLocal<Map<Object, Object>> RESOURCES = new ThreadLocal<>();
 
     /**
      * Default no-argument constructor.
@@ -327,26 +327,5 @@ public static void bind(Subject subject) {
     public static Subject unbindSubject() {
         return (Subject) remove(SUBJECT_KEY);
     }
-
-    private static final class InheritableThreadLocalMap<T extends Map<Object, Object>>
-                                            extends InheritableThreadLocal<Map<Object, Object>> {
-
-        /**
-         * This implementation was added to address a
-         * <a href="http://jsecurity.markmail.org/search/?q=#query:+page:1+mid:xqi2yxurwmrpqrvj+state:results">
-         * user-reported issue</a>.
-         *
-         * @param parentValue the parent value, a HashMap as defined in the {@link #initialValue()} method.
-         * @return the HashMap to be used by any parent-spawned child threads (a clone of the parent HashMap).
-         */
-        @SuppressWarnings({"unchecked"})
-        protected Map<Object, Object> childValue(Map<Object, Object> parentValue) {
-            if (parentValue != null) {
-                return (Map<Object, Object>) ((HashMap<Object, Object>) parentValue).clone();
-            } else {
-                return null;
-            }
-        }
-    }
 }