Merge branch 'main' into spring-postprocess-warnings

.github/dependabot.yml

@@ -58,6 +58,9 @@ updates:
       - dependency-name: "org.omnifaces:omnifaces"
         update-types: [ "version-update:semver-major" ]
 
+      - dependency-name: "org.aspectj:*"
+        update-types: [ "version-update:semver-patch" ]
+
       - dependency-name: "org.springframework*:*"
         update-types: [ "version-update:semver-major" ]
       - dependency-name: "com.flowlogix:flowlogix-jee"
@@ -69,6 +72,8 @@ updates:
         update-types: [ "version-update:semver-major" ]
       - dependency-name: "org.apache.johnzon:*"
         update-types: [ "version-update:semver-major" ]
+      - dependency-name: "com.hazelcast:*"
+        update-types: [ "version-update:semver-minor" ]
 
   # Dependencies for Maven - on 1.13.x
   - package-ecosystem: 'maven'
@@ -109,6 +114,8 @@ updates:
         update-types: [ "version-update:semver-major" ]
       - dependency-name: "com.github.mjeanroy:junit-servers-jetty"
         update-types: [ "version-update:semver-minor" ]
+      - dependency-name: "com.hazelcast:*"
+        update-types: [ "version-update:semver-minor" ]
 
   # Dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'

.github/workflows/codeql.yml

@@ -60,18 +60,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Cache local Maven repository
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 #v4.0.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -85,7 +85,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -98,6 +98,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/maven.yml

@@ -33,10 +33,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up JDK
-        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           java-version: 11
           distribution: temurin
@@ -55,7 +55,7 @@ jobs:
     strategy:
       matrix:
         os: [ 'ubuntu-latest', 'windows-latest', 'macOS-latest' ]
-        jdk: [ 11, 17, 21 ]
+        jdk: [ 11, 17, 21, 22 ]
         dist: [ 'temurin', 'adopt-openj9', 'zulu' ]
         exclude:
           # was already built
@@ -71,16 +71,19 @@ jobs:
           # no OpenJ9 21
           - dist: adopt-openj9
             jdk: 21
+          # no OpenJ9 22
+          - dist: adopt-openj9
+            jdk: 22
       fail-fast: false
 
     runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up JDK
-        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           java-version: ${{ matrix.jdk }}
           distribution: ${{ matrix.dist }}
@@ -98,7 +101,7 @@ jobs:
           -Pskip_jakarta_ee_tests
 
       - name: Archive test run logs
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: test-logs-${{ matrix.os }}-${{ matrix.jdk }}-${{ matrix.dist }}

.github/workflows/scorecards.yml

@@ -42,12 +42,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #tag=2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 #tag=2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -66,14 +66,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # tag=v4.0.0
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # tag=v4.3.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a #tag=v2
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 #tag=v2
         with:
           sarif_file: results.sarif

.gitignore

@@ -52,3 +52,4 @@ release.properties
 pom.xml.*
 -
 .sdkmanrc
+.DS_Store

.jenkins.groovy

@@ -36,7 +36,7 @@ pipeline {
                     axis {
                         // https://cwiki.apache.org/confluence/display/INFRA/JDK+Installation+Matrix
                         name 'MATRIX_JDK'
-                        values 'jdk_11_latest', 'jdk_17_latest', 'jdk_21_latest'
+                        values 'jdk_11_latest', 'jdk_17_latest', 'jdk_21_latest', 'jdk_22_latest'
                     }
                     // Additional axes, like OS and maven version can be configured here.
                 }

config/ogdl/src/test/groovy/org/apache/shiro/config/ogdl/CommonsInterpolatorTest.groovy

@@ -20,6 +20,7 @@ package org.apache.shiro.config.ogdl
 
 import org.apache.shiro.config.ogdl.CommonsInterpolator
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.parallel.Isolated
 
 import static org.junit.jupiter.api.Assertions.assertEquals
 import static org.junit.jupiter.api.Assertions.assertNull
@@ -28,6 +29,7 @@ import static org.junit.jupiter.api.Assertions.assertNull
  * Tests for {@link org.apache.shiro.config.ogdl.CommonsInterpolator}.
  * @since 1.4
  */
+@Isolated("System property usage")
 class CommonsInterpolatorTest {
 
     @SuppressWarnings("unused")

config/ogdl/src/test/groovy/org/apache/shiro/config/ogdl/ReflectionBuilderTest.groovy

@@ -26,6 +26,7 @@ import org.apache.shiro.config.ConfigurationException
 import org.apache.shiro.config.Ini
 import org.apache.shiro.config.ogdl.event.BeanEvent
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.parallel.Isolated
 
 import java.util.concurrent.ConcurrentHashMap
 
@@ -36,6 +37,7 @@ import static org.hamcrest.Matchers.*
 /**
  * Unit tests for the {@link org.apache.shiro.config.ogdl.ReflectionBuilder} implementation.
  */
+@Isolated
 @SuppressWarnings("GrMethodMayBeStatic")
 class ReflectionBuilderTest {
 

core/pom.xml

@@ -36,6 +36,18 @@
 
     <build>
         <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <annotationProcessorPaths>
+                        <annotationProcessorPath>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                            <version>${lombok.version}</version>
+                        </annotationProcessorPath>
+                    </annotationProcessorPaths>
+                </configuration>
+            </plugin>
             <!-- collect the test classes so they can be referenced by other modules -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -146,6 +158,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-configuration2</artifactId>
+            <optional>true</optional>
         </dependency>
 
         <!-- Test dependencies -->
@@ -168,6 +181,19 @@
             <artifactId>log4j-core-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>${lombok.version}</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
 
         <!-- JDBC Realm tests: -->
         <dependency>

core/src/main/java/org/apache/shiro/SecurityUtils.java

@@ -19,8 +19,11 @@
 package org.apache.shiro;
 
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.mgt.WrappedSecurityManager;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ThreadContext;
+import java.util.Objects;
+import java.util.function.Predicate;
 
 
 /**
@@ -123,4 +126,66 @@ public static SecurityManager getSecurityManager() throws UnavailableSecurityMan
         }
         return securityManager;
     }
+
+    /**
+     * Returns the SecurityManager, ensuring it is of the specified type.
+     * Unwraps wrapped SecurityManagers if necessary.
+     * Caution, since this method unwraps SecurityManagers, it is possible that
+     * functionality of the wrapper is lost by the returned instance.
+     *
+     * @param type the expected type of the SecurityManager
+     * @return the SecurityManager.
+     * @param <SM> the expected type of the SecurityManager
+     */
+    public static <SM extends SecurityManager> SM getSecurityManager(Class<SM> type) {
+        Objects.requireNonNull(type, "Class argument cannot be null.");
+        return unwrapSecurityManager(getSecurityManager(), type);
+    }
+
+    /**
+     * Determines if the specified security manager is of the specified type or a subclass of the specified type.
+     *
+     * @param securityManager
+     * @param type
+     * @return true if the security manager is of the specified type or a subclass of the specified type, false otherwise.
+     */
+    public static boolean isSecurityManagerTypeOf(SecurityManager securityManager,
+                                                  Class<? extends SecurityManager> type) {
+        return type.isAssignableFrom(unwrapSecurityManager(securityManager, type).getClass());
+    }
+
+    /**
+     * Unwraps wrapped SecurityManagers if necessary.
+     * @param securityManager the SecurityManager to unwrap
+     * @param type the expected type of the SecurityManager
+     * @return the unwrapped SecurityManager
+     * @param <SM> Type of the SecurityManager
+     */
+    public static <SM extends SecurityManager> SM
+    unwrapSecurityManager(SecurityManager securityManager, Class<SM> type) {
+        return unwrapSecurityManager(securityManager, type, type::isAssignableFrom);
+    }
+
+    /**
+     * Unwraps wrapped SecurityManagers if necessary.
+     * @param securityManager the SecurityManager to unwrap
+     * @param type the expected type of the SecurityManager
+     * @param predicate to determine if the SecurityManager is of the expected type
+     * @return the unwrapped SecurityManager
+     * @param <SM> Type of the SecurityManager
+     */
+    @SuppressWarnings("unchecked")
+    public static <SM extends SecurityManager> SM
+    unwrapSecurityManager(SecurityManager securityManager, Class<SM> type,
+                          Predicate<Class<? extends SecurityManager>> predicate) {
+        while (securityManager instanceof WrappedSecurityManager && !predicate.test(securityManager.getClass())) {
+            WrappedSecurityManager wrappedSecurityManager = (WrappedSecurityManager) securityManager;
+            securityManager = wrappedSecurityManager.unwrap();
+            if (securityManager == wrappedSecurityManager) {
+                throw new IllegalStateException("SecurityManager implementation of type [" + type.getName()
+                        + "] is wrapped by itself, which is an invalid configuration.");
+            }
+        }
+        return (SM) securityManager;
+    }
 }

core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java

@@ -355,7 +355,9 @@ public Subject createSubject(SubjectContext subjectContext) {
         //(this is needed here in case rememberMe principals were resolved and they need to be stored in the
         //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
         //Added in 1.2:
-        save(subject);
+        if (context.isSessionCreationEnabled()) {
+            save(subject);
+        }
 
         return subject;
     }

core/src/main/java/org/apache/shiro/mgt/WrappedSecurityManager.java

@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.mgt;
+
+/**
+ * Interface implemented by {@link SecurityManager} implementations that wrap another {@code SecurityManager} instance.
+ */
+public interface WrappedSecurityManager {
+    /**
+     * Returns the underlying {@code SecurityManager} instance that this instance wraps.
+     *
+     * @return instance
+     * @param <SM> {@link SecurityManager} implementation type
+     */
+    <SM extends SecurityManager> SM unwrap();
+}

core/src/test/groovy/org/apache/shiro/authc/credential/DefaultPasswordServiceTest.groovy

@@ -29,6 +29,7 @@ import org.apache.shiro.crypto.hash.format.Shiro1CryptFormat
 import org.junit.jupiter.api.DisplayName
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.function.Executable
+import org.junit.jupiter.api.parallel.Isolated
 
 import static org.easymock.EasyMock.*
 import static org.junit.jupiter.api.Assertions.*
@@ -38,6 +39,7 @@ import static org.junit.jupiter.api.Assertions.*
  *
  * @since 1.2
  */
+@Isolated
 class DefaultPasswordServiceTest {
 
     @Test