Deprecated API

Contents

• Classes
• Methods
• Constructors

Deprecated Classes

Class	Description
org.apache.shiro.authc.credential.Sha256CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its hashAlgorithmName property.
org.apache.shiro.authc.credential.Sha384CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its hashAlgorithmName property.
org.apache.shiro.authc.credential.Sha512CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its hashAlgorithmName property.
org.apache.shiro.ini.IniFactorySupport	use Shiro's Environment mechanisms instead.
org.apache.shiro.ini.IniSecurityManagerFactory	use Shiro's Environment mechanisms instead.
org.apache.shiro.realm.ldap.JndiLdapRealm	Renamed to DefaultLdapRealm, this class will be removed prior to 2.0
org.apache.shiro.util.JavaEnvironment	This class is no longer used in Shiro and will be removed in the next major version.

Deprecated Methods

Method	Description
org.apache.shiro.authc.credential.HashedCredentialsMatcher.getSalt(AuthenticationToken)	since Shiro 1.1. Hash salting is now expected to be based on if the AuthenticationInfo returned from the Realm is a SaltedAuthenticationInfo instance and its getCredentialsSalt() method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations that support hashed credentials start returning SaltedAuthenticationInfo instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.authc.credential.HashedCredentialsMatcher.isHashSalted()	since Shiro 1.1. Hash salting is now expected to be based on if the AuthenticationInfo returned from the Realm is a SaltedAuthenticationInfo instance and its getCredentialsSalt() method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations that support hashed credentials start returning SaltedAuthenticationInfo instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.authc.credential.HashedCredentialsMatcher.setHashSalted(boolean)	since Shiro 1.1. Hash salting is now expected to be based on if the AuthenticationInfo returned from the Realm is a SaltedAuthenticationInfo instance and its getCredentialsSalt() method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the Realm does not return SaltedAuthenticationInfo instances, but it is highly recommended that Realm implementations that support hashed credentials start returning SaltedAuthenticationInfo instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.mgt.DefaultSecurityManager.bind(Subject)	in favor of save(subject).
org.apache.shiro.mgt.DefaultSecurityManager.unbind(Subject)	in Shiro 1.2 in favor of DefaultSecurityManager.delete(org.apache.shiro.subject.Subject)
org.apache.shiro.mgt.DefaultSubjectFactory.newSubjectInstance(PrincipalCollection, boolean, String, Session, SecurityManager)	since 1.2 - override DefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext) directly if you need to instantiate a custom Subject class.
org.apache.shiro.util.CollectionUtils.isEmpty(PrincipalCollection)	Use PrincipalCollection.isEmpty() directly.

Deprecated Constructors

Constructor	Description
org.apache.shiro.UnavailableSecurityManagerException(String, Throwable)	This constructor is NOT used by Shiro directly, and will be removed in the future.