(geode) branch develop updated: GEODE-10559: Introduction of Security Realm to Security Manager (CVE-2026-23903 remediation) (#7986)

jinwoo Wed, 11 Mar 2026 18:05:16 -0700

This is an automated email from the ASF dual-hosted git repository.

jinwoo pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git



The following commit(s) were added to refs/heads/develop by this push:
     new 295cd4ca48 GEODE-10559: Introduction of Security Realm to Security 
Manager (CVE-2026-23903 remediation) (#7986)
295cd4ca48 is described below

commit 295cd4ca48f2fdf6f51d15790a6b4d8884f3282b
Author: Jinwoo Hwang <[email protected]>
AuthorDate: Wed Mar 11 21:05:00 2026 -0400

    GEODE-10559: Introduction of Security Realm to Security Manager 
(CVE-2026-23903 remediation) (#7986)
    
    * GEODE-10559: Upgrade Apache Shiro to 2.1.0; migrate APIs (CVE-2026-23903)
    
    * GEODE-10559: update integration test resources after Shiro 2.1.0 bump
    
    * Build an IniRealm
    
    * include shiro
    
    * remove shiro
    
    * remove shiro
    
    * Fix integration test snapshot: remove spurious logback-core entry
---
 .../gradle/plugins/DependencyConstraints.groovy    |   2 +-
 .../integrationTest/resources/assembly_content.txt | 299 ++++++++++++++++++++-
 .../integrationTest/resources/expected_jars.txt    |   3 +
 .../resources/gfsh_dependency_classpath.txt        |  21 +-
 .../security/IntegratedSecurityService.java        |  10 +-
 .../internal/security/SecurityServiceFactory.java  |  16 +-
 .../security/shiro/SecurityManagerProvider.java    |  39 ++-
 .../InternalDataSerializerShiroAcceptListTest.java |   9 +-
 .../security/IntegratedSecurityServiceTest.java    |   8 +-
 .../resources/dependency_classpath.txt             |  21 +-
 10 files changed, 381 insertions(+), 47 deletions(-)

diff --git 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
index cffd8e1772..27d9d70343 100644
--- 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
+++ 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -49,7 +49,7 @@ class DependencyConstraints {
     deps.put("log4j.version", "2.25.3")
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
-    deps.put("shiro.version", "1.13.0")
+    deps.put("shiro.version", "2.1.0")
     deps.put("slf4j-api.version", "2.0.17")
     deps.put("jakarta.transaction-api.version", "2.0.1")
     deps.put("jboss-modules.version", "1.11.0.Final")
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt 
b/geode-assembly/src/integrationTest/resources/assembly_content.txt
index 2dbd883f12..a1cee3298e 100644
--- a/geode-assembly/src/integrationTest/resources/assembly_content.txt
+++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -296,6 +296,284 @@ 
javadoc/org/apache/geode/cache/client/proxy/ProxySocketFactories.html
 javadoc/org/apache/geode/cache/client/proxy/SniProxySocketFactory.html
 javadoc/org/apache/geode/cache/client/proxy/package-summary.html
 javadoc/org/apache/geode/cache/client/proxy/package-tree.html
+bin/gfsh
+bin/gfsh-completion.bash
+bin/gfsh.bat
+config/cache.xml
+config/gemfire.properties
+config/log4j2.xml
+config/open-all-jdk-packages-linux-openjdk-17
+javadoc/allclasses-index.html
+javadoc/allpackages-index.html
+javadoc/constant-values.html
+javadoc/deprecated-list.html
+javadoc/element-list
+javadoc/help-doc.html
+javadoc/index-all.html
+javadoc/index.html
+javadoc/javadoc-images/BucketAdvisor-state.png
+javadoc/javadoc-images/ConnectionManagerImpl.dia
+javadoc/javadoc-images/ConnectionManagerImpl.png
+javadoc/javadoc-images/QueueManagerImpl.dia
+javadoc/javadoc-images/QueueManagerImpl.png
+javadoc/javadoc-images/class-hierarchy.fig
+javadoc/javadoc-images/class-hierarchy.gif
+javadoc/javadoc-images/client_static_diagram.png
+javadoc/javadoc-images/data-serialization-exceptions.fig
+javadoc/javadoc-images/data-serialization-exceptions.gif
+javadoc/javadoc-images/distribution-managers.fig
+javadoc/javadoc-images/distribution-managers.gif
+javadoc/javadoc-images/elder.fig
+javadoc/javadoc-images/elder.jpg
+javadoc/javadoc-images/entry-life-cycle.fig
+javadoc/javadoc-images/entry-life-cycle.gif
+javadoc/javadoc-images/eventmatrix.xls
+javadoc/javadoc-images/example-cache.xml
+javadoc/javadoc-images/example-client-cache.xml
+javadoc/javadoc-images/example2-cache.xml
+javadoc/javadoc-images/example3-cache.xml
+javadoc/javadoc-images/extensible-hashing.fig
+javadoc/javadoc-images/extensible-hashing.gif
+javadoc/javadoc-images/health-classes.gif
+javadoc/javadoc-images/jcache-get-flow.fig
+javadoc/javadoc-images/jcache-get-flow.pdf
+javadoc/javadoc-images/jcache-put-flow.fig
+javadoc/javadoc-images/jcache-put-flow.pdf
+javadoc/javadoc-images/jcache-update-message-flow.fig
+javadoc/javadoc-images/jcache-update-message-flow.pdf
+javadoc/javadoc-images/merge-log-files.fig
+javadoc/javadoc-images/merge-log-files.gif
+javadoc/javadoc-images/partitioned-regions.fig
+javadoc/javadoc-images/partitioned-regions.gif
+javadoc/javadoc-images/turks.fig
+javadoc/javadoc-images/turks.jpg
+javadoc/jquery-ui.overrides.css
+javadoc/legal/ADDITIONAL_LICENSE_INFO
+javadoc/legal/ASSEMBLY_EXCEPTION
+javadoc/legal/LICENSE
+javadoc/legal/jquery.md
+javadoc/legal/jqueryUI.md
+javadoc/member-search-index.js
+javadoc/module-search-index.js
+javadoc/org/apache/geode/CancelCriterion.html
+javadoc/org/apache/geode/CancelException.html
+javadoc/org/apache/geode/CanonicalInstantiator.html
+javadoc/org/apache/geode/CopyException.html
+javadoc/org/apache/geode/CopyHelper.html
+javadoc/org/apache/geode/DataSerializable.Replaceable.html
+javadoc/org/apache/geode/DataSerializable.html
+javadoc/org/apache/geode/DataSerializer.html
+javadoc/org/apache/geode/Delta.html
+javadoc/org/apache/geode/DeltaSerializationException.html
+javadoc/org/apache/geode/ForcedDisconnectException.html
+javadoc/org/apache/geode/GemFireCacheException.html
+javadoc/org/apache/geode/GemFireCheckedException.html
+javadoc/org/apache/geode/GemFireConfigException.html
+javadoc/org/apache/geode/GemFireException.html
+javadoc/org/apache/geode/GemFireIOException.html
+javadoc/org/apache/geode/GemFireRethrowable.html
+javadoc/org/apache/geode/IncompatibleSystemException.html
+javadoc/org/apache/geode/Instantiator.html
+javadoc/org/apache/geode/InternalGemFireError.html
+javadoc/org/apache/geode/InternalGemFireException.html
+javadoc/org/apache/geode/InvalidDeltaException.html
+javadoc/org/apache/geode/InvalidValueException.html
+javadoc/org/apache/geode/InvalidVersionException.html
+javadoc/org/apache/geode/LogWriter.html
+javadoc/org/apache/geode/NoSystemException.html
+javadoc/org/apache/geode/OutOfOffHeapMemoryException.html
+javadoc/org/apache/geode/SerializationException.html
+javadoc/org/apache/geode/StatisticDescriptor.html
+javadoc/org/apache/geode/Statistics.html
+javadoc/org/apache/geode/StatisticsFactory.html
+javadoc/org/apache/geode/StatisticsType.html
+javadoc/org/apache/geode/StatisticsTypeFactory.html
+javadoc/org/apache/geode/SystemConnectException.html
+javadoc/org/apache/geode/SystemFailure.html
+javadoc/org/apache/geode/SystemIsRunningException.html
+javadoc/org/apache/geode/ToDataException.html
+javadoc/org/apache/geode/UncreatedSystemException.html
+javadoc/org/apache/geode/UnmodifiableException.html
+javadoc/org/apache/geode/UnstartedSystemException.html
+javadoc/org/apache/geode/admin/AdminConfig.Entry.html
+javadoc/org/apache/geode/admin/AdminConfig.html
+javadoc/org/apache/geode/admin/AdminDistributedSystem.html
+javadoc/org/apache/geode/admin/AdminDistributedSystemFactory.html
+javadoc/org/apache/geode/admin/AdminException.html
+javadoc/org/apache/geode/admin/AdminXmlException.html
+javadoc/org/apache/geode/admin/Alert.html
+javadoc/org/apache/geode/admin/AlertLevel.html
+javadoc/org/apache/geode/admin/AlertListener.html
+javadoc/org/apache/geode/admin/BackupStatus.html
+javadoc/org/apache/geode/admin/CacheDoesNotExistException.html
+javadoc/org/apache/geode/admin/CacheHealthConfig.html
+javadoc/org/apache/geode/admin/CacheServer.html
+javadoc/org/apache/geode/admin/CacheServerConfig.html
+javadoc/org/apache/geode/admin/CacheVm.html
+javadoc/org/apache/geode/admin/CacheVmConfig.html
+javadoc/org/apache/geode/admin/ConfigurationParameter.html
+javadoc/org/apache/geode/admin/DistributedSystemConfig.ConfigListener.html
+javadoc/org/apache/geode/admin/DistributedSystemConfig.html
+javadoc/org/apache/geode/admin/DistributedSystemHealthConfig.html
+javadoc/org/apache/geode/admin/DistributionLocator.html
+javadoc/org/apache/geode/admin/DistributionLocatorConfig.html
+javadoc/org/apache/geode/admin/GemFireHealth.Health.html
+javadoc/org/apache/geode/admin/GemFireHealth.html
+javadoc/org/apache/geode/admin/GemFireHealthConfig.html
+javadoc/org/apache/geode/admin/GemFireMemberStatus.html
+javadoc/org/apache/geode/admin/ManagedEntity.html
+javadoc/org/apache/geode/admin/ManagedEntityConfig.html
+javadoc/org/apache/geode/admin/MemberHealthConfig.html
+javadoc/org/apache/geode/admin/OperationCancelledException.html
+javadoc/org/apache/geode/admin/RegionNotFoundException.html
+javadoc/org/apache/geode/admin/RegionSubRegionSnapshot.html
+javadoc/org/apache/geode/admin/RuntimeAdminException.html
+javadoc/org/apache/geode/admin/Statistic.html
+javadoc/org/apache/geode/admin/StatisticResource.html
+javadoc/org/apache/geode/admin/SystemMember.html
+javadoc/org/apache/geode/admin/SystemMemberBridgeServer.html
+javadoc/org/apache/geode/admin/SystemMemberCache.html
+javadoc/org/apache/geode/admin/SystemMemberCacheEvent.html
+javadoc/org/apache/geode/admin/SystemMemberCacheListener.html
+javadoc/org/apache/geode/admin/SystemMemberCacheServer.html
+javadoc/org/apache/geode/admin/SystemMemberRegion.html
+javadoc/org/apache/geode/admin/SystemMemberRegionEvent.html
+javadoc/org/apache/geode/admin/SystemMemberType.html
+javadoc/org/apache/geode/admin/SystemMembershipEvent.html
+javadoc/org/apache/geode/admin/SystemMembershipListener.html
+javadoc/org/apache/geode/admin/UnmodifiableConfigurationException.html
+javadoc/org/apache/geode/admin/jmx/Agent.html
+javadoc/org/apache/geode/admin/jmx/AgentConfig.html
+javadoc/org/apache/geode/admin/jmx/AgentFactory.html
+javadoc/org/apache/geode/admin/jmx/package-summary.html
+javadoc/org/apache/geode/admin/jmx/package-tree.html
+javadoc/org/apache/geode/admin/package-summary.html
+javadoc/org/apache/geode/admin/package-tree.html
+javadoc/org/apache/geode/annotations/Experimental.html
+javadoc/org/apache/geode/annotations/Immutable.html
+javadoc/org/apache/geode/annotations/VisibleForTesting.html
+javadoc/org/apache/geode/annotations/package-summary.html
+javadoc/org/apache/geode/annotations/package-tree.html
+javadoc/org/apache/geode/cache/AttributesFactory.html
+javadoc/org/apache/geode/cache/AttributesMutator.html
+javadoc/org/apache/geode/cache/Cache.html
+javadoc/org/apache/geode/cache/CacheCallback.html
+javadoc/org/apache/geode/cache/CacheClosedException.html
+javadoc/org/apache/geode/cache/CacheEvent.html
+javadoc/org/apache/geode/cache/CacheException.html
+javadoc/org/apache/geode/cache/CacheExistsException.html
+javadoc/org/apache/geode/cache/CacheFactory.html
+javadoc/org/apache/geode/cache/CacheListener.html
+javadoc/org/apache/geode/cache/CacheLoader.html
+javadoc/org/apache/geode/cache/CacheLoaderException.html
+javadoc/org/apache/geode/cache/CacheRuntimeException.html
+javadoc/org/apache/geode/cache/DuplicatePrimaryPartitionException.html
+javadoc/org/apache/geode/cache/DynamicRegionFactory.Config.html
+javadoc/org/apache/geode/cache/DynamicRegionFactory.html
+javadoc/org/apache/geode/cache/DynamicRegionListener.html
+javadoc/org/apache/geode/cache/EntryDestroyedException.html
+javadoc/org/apache/geode/cache/EntryEvent.html
+javadoc/org/apache/geode/cache/EntryExistsException.html
+javadoc/org/apache/geode/cache/EntryNotFoundException.html
+javadoc/org/apache/geode/cache/EntryOperation.html
+javadoc/org/apache/geode/cache/EvictionAction.html
+javadoc/org/apache/geode/cache/EvictionAlgorithm.html
+javadoc/org/apache/geode/cache/EvictionAttributes.html
+javadoc/org/apache/geode/cache/EvictionAttributesMutator.html
+javadoc/org/apache/geode/cache/ExpirationAction.html
+javadoc/org/apache/geode/cache/ExpirationAttributes.html
+javadoc/org/apache/geode/cache/FailedSynchronizationException.html
+javadoc/org/apache/geode/cache/FixedPartitionAttributes.html
+javadoc/org/apache/geode/cache/FixedPartitionResolver.html
+javadoc/org/apache/geode/cache/GatewayConfigurationException.html
+javadoc/org/apache/geode/cache/GatewayException.html
+javadoc/org/apache/geode/cache/GemFireCache.html
+javadoc/org/apache/geode/cache/IncompatibleVersionException.html
+javadoc/org/apache/geode/cache/InterestPolicy.html
+javadoc/org/apache/geode/cache/InterestRegistrationEvent.html
+javadoc/org/apache/geode/cache/InterestRegistrationListener.html
+javadoc/org/apache/geode/cache/InterestResultPolicy.html
+javadoc/org/apache/geode/cache/LoaderHelper.html
+javadoc/org/apache/geode/cache/LossAction.html
+javadoc/org/apache/geode/cache/LowMemoryException.html
+javadoc/org/apache/geode/cache/MembershipAttributes.html
+javadoc/org/apache/geode/cache/MirrorType.html
+javadoc/org/apache/geode/cache/NoQueueServersAvailableException.html
+javadoc/org/apache/geode/cache/NoSubscriptionServersAvailableException.html
+javadoc/org/apache/geode/cache/Operation.html
+javadoc/org/apache/geode/cache/OperationAbortedException.html
+javadoc/org/apache/geode/cache/PartitionAttributes.html
+javadoc/org/apache/geode/cache/PartitionAttributesFactory.html
+javadoc/org/apache/geode/cache/PartitionResolver.html
+javadoc/org/apache/geode/cache/PartitionedRegionDistributionException.html
+javadoc/org/apache/geode/cache/PartitionedRegionStorageException.html
+javadoc/org/apache/geode/cache/Region.Entry.html
+javadoc/org/apache/geode/cache/Region.html
+javadoc/org/apache/geode/cache/RegionAccessException.html
+javadoc/org/apache/geode/cache/RegionAttributes.html
+javadoc/org/apache/geode/cache/RegionDestroyedException.html
+javadoc/org/apache/geode/cache/RegionDistributionException.html
+javadoc/org/apache/geode/cache/RegionEvent.html
+javadoc/org/apache/geode/cache/RegionExistsException.html
+javadoc/org/apache/geode/cache/RegionFactory.html
+javadoc/org/apache/geode/cache/RegionMembershipListener.html
+javadoc/org/apache/geode/cache/RegionReinitializedException.html
+javadoc/org/apache/geode/cache/RegionRoleException.html
+javadoc/org/apache/geode/cache/RegionRoleListener.html
+javadoc/org/apache/geode/cache/RegionService.html
+javadoc/org/apache/geode/cache/RegionShortcut.html
+javadoc/org/apache/geode/cache/RequiredRoles.html
+javadoc/org/apache/geode/cache/ResourceException.html
+javadoc/org/apache/geode/cache/ResumptionAction.html
+javadoc/org/apache/geode/cache/RoleEvent.html
+javadoc/org/apache/geode/cache/RoleException.html
+javadoc/org/apache/geode/cache/Scope.html
+javadoc/org/apache/geode/cache/SerializedCacheValue.html
+javadoc/org/apache/geode/cache/StatisticsDisabledException.html
+javadoc/org/apache/geode/cache/SubscriptionAttributes.html
+javadoc/org/apache/geode/cache/SynchronizationCommitConflictException.html
+javadoc/org/apache/geode/cache/TimeoutException.html
+javadoc/org/apache/geode/cache/TransactionDataNodeHasDepartedException.html
+javadoc/org/apache/geode/cache/TransactionDataNotColocatedException.html
+javadoc/org/apache/geode/cache/TransactionDataRebalancedException.html
+javadoc/org/apache/geode/cache/TransactionEvent.html
+javadoc/org/apache/geode/cache/TransactionException.html
+javadoc/org/apache/geode/cache/TransactionId.html
+javadoc/org/apache/geode/cache/TransactionInDoubtException.html
+javadoc/org/apache/geode/cache/TransactionListener.html
+javadoc/org/apache/geode/cache/TransactionWriter.html
+javadoc/org/apache/geode/cache/TransactionWriterException.html
+javadoc/org/apache/geode/cache/UnsupportedOperationInTransactionException.html
+javadoc/org/apache/geode/cache/UnsupportedVersionException.html
+javadoc/org/apache/geode/cache/VersionException.html
+javadoc/org/apache/geode/cache/asyncqueue/AsyncEvent.html
+javadoc/org/apache/geode/cache/asyncqueue/AsyncEventListener.html
+javadoc/org/apache/geode/cache/asyncqueue/AsyncEventQueue.html
+javadoc/org/apache/geode/cache/asyncqueue/AsyncEventQueueFactory.html
+javadoc/org/apache/geode/cache/asyncqueue/package-summary.html
+javadoc/org/apache/geode/cache/asyncqueue/package-tree.html
+javadoc/org/apache/geode/cache/client/AllConnectionsInUseException.html
+javadoc/org/apache/geode/cache/client/ClientCache.html
+javadoc/org/apache/geode/cache/client/ClientCacheFactory.html
+javadoc/org/apache/geode/cache/client/ClientNotReadyException.html
+javadoc/org/apache/geode/cache/client/ClientRegionFactory.html
+javadoc/org/apache/geode/cache/client/ClientRegionShortcut.html
+javadoc/org/apache/geode/cache/client/NoAvailableLocatorsException.html
+javadoc/org/apache/geode/cache/client/NoAvailableServersException.html
+javadoc/org/apache/geode/cache/client/Pool.html
+javadoc/org/apache/geode/cache/client/PoolFactory.html
+javadoc/org/apache/geode/cache/client/PoolManager.html
+javadoc/org/apache/geode/cache/client/ServerConnectivityException.html
+javadoc/org/apache/geode/cache/client/ServerOperationException.html
+javadoc/org/apache/geode/cache/client/ServerRefusedConnectionException.html
+javadoc/org/apache/geode/cache/client/SocketFactory.html
+javadoc/org/apache/geode/cache/client/SubscriptionNotEnabledException.html
+javadoc/org/apache/geode/cache/client/package-summary.html
+javadoc/org/apache/geode/cache/client/package-tree.html
+javadoc/org/apache/geode/cache/client/proxy/ProxySocketFactories.html
+javadoc/org/apache/geode/cache/client/proxy/SniProxySocketFactory.html
+javadoc/org/apache/geode/cache/client/proxy/package-summary.html
+javadoc/org/apache/geode/cache/client/proxy/package-tree.html
 javadoc/org/apache/geode/cache/configuration/CacheConfig.AsyncEventQueue.html
 javadoc/org/apache/geode/cache/configuration/CacheConfig.CacheServer.html
 
javadoc/org/apache/geode/cache/configuration/CacheConfig.GatewayHub.Gateway.GatewayEndpoint.html
@@ -923,6 +1201,7 @@ lib/antlr-runtime-3.5.2.jar
 lib/asm-9.9.1.jar
 lib/asm-commons-9.9.1.jar
 lib/asm-tree-9.9.1.jar
+lib/bcprov-jdk18on-1.82.jar
 lib/classgraph-4.8.147.jar
 lib/classmate-1.5.1.jar
 lib/commons-beanutils-1.11.0.jar
@@ -1031,15 +1310,17 @@ lib/ra.jar
 lib/reactive-streams-1.0.4.jar
 lib/reactor-core-3.6.10.jar
 lib/rmiio-2.1.2.jar
-lib/shiro-cache-1.13.0.jar
-lib/shiro-config-core-1.13.0.jar
-lib/shiro-config-ogdl-1.13.0.jar
-lib/shiro-core-1.13.0.jar
-lib/shiro-crypto-cipher-1.13.0.jar
-lib/shiro-crypto-core-1.13.0.jar
-lib/shiro-crypto-hash-1.13.0.jar
-lib/shiro-event-1.13.0.jar
-lib/shiro-lang-1.13.0.jar
+lib/shiro-cache-2.1.0.jar
+lib/shiro-config-core-2.1.0.jar
+lib/shiro-config-ogdl-2.1.0.jar
+lib/shiro-core-2.1.0.jar
+lib/shiro-crypto-cipher-2.1.0.jar
+lib/shiro-crypto-core-2.1.0.jar
+lib/shiro-crypto-hash-2.1.0.jar
+lib/shiro-event-2.1.0.jar
+lib/shiro-lang-2.1.0.jar
+lib/shiro-hashes-argon2-2.1.0.jar
+lib/shiro-hashes-bcrypt-2.1.0.jar
 lib/slf4j-api-2.0.17.jar
 lib/snakeyaml-2.3.jar
 lib/snappy-0.5.jar
diff --git a/geode-assembly/src/integrationTest/resources/expected_jars.txt 
b/geode-assembly/src/integrationTest/resources/expected_jars.txt
index cc35c17ab8..7d0c0f2722 100644
--- a/geode-assembly/src/integrationTest/resources/expected_jars.txt
+++ b/geode-assembly/src/integrationTest/resources/expected_jars.txt
@@ -9,6 +9,7 @@ antlr-runtime
 asm
 asm-commons
 asm-tree
+bcprov-jdk18on
 classgraph
 classmate
 commons-beanutils
@@ -108,6 +109,8 @@ shiro-crypto-cipher
 shiro-crypto-core
 shiro-crypto-hash
 shiro-event
+shiro-hashes-argon
+shiro-hashes-bcrypt
 shiro-lang
 slf4j-api
 snakeyaml
diff --git 
a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt 
b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
index 08a64ec378..6635ed6939 100644
--- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
+++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -66,8 +66,8 @@ HikariCP-4.0.3.jar
 antlr-2.7.7.jar
 istack-commons-runtime-4.1.1.jar
 commons-validator-1.7.jar
-shiro-core-1.13.0.jar
-shiro-config-ogdl-1.13.0.jar
+shiro-core-2.1.0.jar
+shiro-config-ogdl-2.1.0.jar
 commons-beanutils-1.11.0.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -98,13 +98,15 @@ jetty-security-12.0.33.jar
 jetty-server-12.0.33.jar
 snappy-0.5.jar
 jgroups-3.6.20.Final.jar
-shiro-cache-1.13.0.jar
-shiro-crypto-hash-1.13.0.jar
-shiro-crypto-cipher-1.13.0.jar
-shiro-config-core-1.13.0.jar
-shiro-event-1.13.0.jar
-shiro-crypto-core-1.13.0.jar
-shiro-lang-1.13.0.jar
+shiro-cache-2.1.0.jar
+shiro-crypto-hash-2.1.0.jar
+shiro-crypto-cipher-2.1.0.jar
+shiro-config-core-2.1.0.jar
+shiro-event-2.1.0.jar
+shiro-crypto-core-2.1.0.jar
+shiro-lang-2.1.0.jar
+shiro-hashes-argon2-2.1.0.jar
+shiro-hashes-bcrypt-2.1.0.jar
 jetty-xml-12.0.33.jar
 jetty-http-12.0.33.jar
 jetty-io-12.0.33.jar
@@ -140,3 +142,4 @@ jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
 jakarta.el-api-5.0.0.jar
 jakarta.inject-api-2.0.1.jar
+bcprov-jdk18on-1.82.jar
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
 
b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
index 98fae4aa53..d2e204e6ab 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
@@ -28,8 +28,10 @@ import org.apache.commons.lang3.SerializationException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.support.SubjectThreadState;
@@ -173,7 +175,7 @@ public class IntegratedSecurityService implements 
SecurityService {
       currentUser.login(token);
     } catch (UnavailableSecurityManagerException e) {
       throw new CacheClosedException("Cache is closed.");
-    } catch (ShiroException e) {
+    } catch (AuthenticationException | ConfigurationException e) {
       logger.info("error logging in: " + token.getPrincipal());
       Throwable cause = e.getCause();
       if (cause == null) {
@@ -199,7 +201,7 @@ public class IntegratedSecurityService implements 
SecurityService {
     try {
       logger.debug("Logging out " + currentUser.getPrincipal());
       currentUser.logout();
-    } catch (ShiroException e) {
+    } catch (AuthenticationException e) {
       logger.info("error logging out: " + currentUser.getPrincipal());
       throw new GemFireSecurityException(e.getMessage(), e);
     }
@@ -286,7 +288,7 @@ public class IntegratedSecurityService implements 
SecurityService {
 
     try {
       currentUser.checkPermission(context);
-    } catch (ShiroException e) {
+    } catch (AuthorizationException e) {
       String message = currentUser.getPrincipal() + " not authorized for " + 
context;
       logger.info("NotAuthorizedException: {}", message);
       throw new NotAuthorizedException(message, e);
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
 
b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
index 346955b0e1..7fbaa939d1 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
@@ -18,6 +18,7 @@ import static 
org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIE
 import static 
org.apache.geode.distributed.ConfigurationProperties.SECURITY_PEER_AUTHENTICATOR;
 import static 
org.apache.geode.distributed.ConfigurationProperties.SECURITY_SHIRO_INIT;
 
+import java.lang.reflect.Method;
 import java.util.Properties;
 
 import org.apache.commons.lang3.StringUtils;
@@ -88,9 +89,20 @@ public class SecurityServiceFactory {
 
   private static boolean isShiroInUse() {
     // Don't import Shiro otherwise clients must include on classpath
+    // Use reflective lookup without initializing the class and be defensive 
about
+    // ClassNotFound/NoClassDef/Linkage errors which can occur when the webapp
+    // classloader does not provide Shiro runtime. If any such error occurs,
+    // treat Shiro as not in use to avoid hard failures during webapp startup.
     try {
-      return null != 
Class.forName("org.apache.shiro.SecurityUtils").getMethod("getSecurityManager")
-          .invoke(null);
+      ClassLoader cl = Thread.currentThread().getContextClassLoader();
+      Class<?> securityUtils = Class.forName("org.apache.shiro.SecurityUtils", 
false, cl);
+      Method getSecurityManager = 
securityUtils.getMethod("getSecurityManager");
+      Object sm = getSecurityManager.invoke(null);
+      return sm != null;
+    } catch (ClassNotFoundException e) {
+      return false;
+    } catch (LinkageError e) {
+      return false;
     } catch (Exception e) {
       return false;
     }
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
 
b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
index 5d286439a2..447ba6b578 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
@@ -19,9 +19,9 @@ import static 
org.apache.geode.logging.internal.spi.LoggingProvider.SECURITY_LOG
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.config.Ini;
-import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.mgt.DefaultSecurityManager;
 import org.apache.shiro.realm.Realm;
+import org.apache.shiro.realm.text.IniRealm;
 import org.apache.shiro.session.mgt.DefaultSessionManager;
 import org.apache.shiro.session.mgt.SessionManager;
 
@@ -41,14 +41,43 @@ public class SecurityManagerProvider {
   public SecurityManagerProvider(String shiroConfig) {
     securityManager = null;
 
-    IniSecurityManagerFactory factory = new 
IniSecurityManagerFactory("classpath:" + shiroConfig);
-    // we will need to make sure that shiro uses a case sensitive permission 
resolver
-    Ini.Section main = factory.getIni().addSection("main");
+    // Shiro 2.1.0: IniSecurityManagerFactory is removed. Use Ini and 
DefaultSecurityManager
+    // directly. Create an IniRealm from the Ini so realms are properly 
configured.
+    Ini ini = new Ini();
+    ini.loadFromPath("classpath:" + shiroConfig);
+    Ini.Section main = ini.getSection("main");
+    if (main == null) {
+      main = ini.addSection("main");
+    }
     main.put("geodePermissionResolver", 
GeodePermissionResolver.class.getName());
     if (!main.containsKey("iniRealm.permissionResolver")) {
       main.put("iniRealm.permissionResolver", "$geodePermissionResolver");
     }
-    shiroManager = factory.getInstance();
+
+    // Build an IniRealm from the loaded Ini and set GeodePermissionResolver 
explicitly.
+    // Create the realm first, set the GeodePermissionResolver, then attach 
the Ini
+    // so the realm parses roles/permissions using our resolver.
+    IniRealm iniRealm = new IniRealm();
+    iniRealm.setPermissionResolver(new GeodePermissionResolver());
+    iniRealm.setIni(ini);
+    // If the realm exposes an init method, ensure it is initialized 
(defensive).
+    try {
+      java.lang.reflect.Method init = iniRealm.getClass().getMethod("init");
+      if (init != null) {
+        init.invoke(iniRealm);
+      }
+    } catch (Throwable t) {
+      // Not critical if method is absent or invocation fails, but log for 
diagnostics.
+      logger.debug("IniRealm init invocation failed; continuing without init", 
t);
+    }
+
+    // Create a DefaultSecurityManager backed by the IniRealm so realms exist.
+    shiroManager = new DefaultSecurityManager((Realm) iniRealm);
+
+    // try to increase global session timeout similar to other provider 
constructors
+    if (shiroManager instanceof DefaultSecurityManager) {
+      increaseShiroGlobalSessionTimeout((DefaultSecurityManager) shiroManager);
+    }
   }
 
 
diff --git 
a/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
 
b/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
index 64f34159dc..eb255c6a40 100644
--- 
a/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
@@ -25,15 +25,16 @@ import java.io.DataInputStream;
 import java.io.IOException;
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authz.AuthorizationException;
-import org.apache.shiro.codec.CodecException;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.crypto.UnknownAlgorithmException;
 import org.apache.shiro.dao.InvalidResourceUsageException;
 import org.apache.shiro.env.RequiredTypeException;
-import org.apache.shiro.io.SerializationException;
+import org.apache.shiro.lang.ShiroException;
+import org.apache.shiro.lang.codec.CodecException;
+import org.apache.shiro.lang.io.SerializationException;
+import org.apache.shiro.lang.util.InstantiationException;
 import org.apache.shiro.ldap.UnsupportedAuthenticationMechanismException;
 import org.apache.shiro.session.SessionException;
 import org.apache.shiro.session.StoppedSessionException;
@@ -91,7 +92,7 @@ public class InternalDataSerializerShiroAcceptListTest {
 
   @Test
   public void acceptsInstantiationException() throws IOException, 
ClassNotFoundException {
-    trySerializingObject(new 
org.apache.shiro.util.InstantiationException("testing"),
+    trySerializingObject(new InstantiationException("testing"),
         propertiesWithoutFilter());
   }
 
diff --git 
a/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
 
b/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
index fbe90a4481..3588e3ff4c 100644
--- 
a/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
@@ -24,8 +24,8 @@ import static org.mockito.Mockito.when;
 
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.SubjectContext;
@@ -53,7 +53,7 @@ public class IntegratedSecurityServiceTest {
   private org.apache.shiro.mgt.SecurityManager shiroManager;
 
   private IntegratedSecurityService securityService;
-  private ShiroException shiroException;
+  private AuthenticationException shiroException;
   private Properties properties;
 
   @Before
@@ -68,7 +68,7 @@ public class IntegratedSecurityServiceTest {
     when(mockSubject.getPrincipal()).thenReturn("principal");
     when(mockSubject.getSession()).thenReturn(mock(Session.class));
 
-    shiroException = mock(ShiroException.class);
+    shiroException = mock(AuthenticationException.class);
     properties = new Properties();
 
     securityService = new IntegratedSecurityService(provider, null);
@@ -189,7 +189,7 @@ public class IntegratedSecurityServiceTest {
     
doThrow(shiroException).when(mockSubject).login(any(GeodeAuthenticationToken.class));
     assertThatThrownBy(() -> securityService.login(properties))
         .isInstanceOf(AuthenticationFailedException.class)
-        .hasCauseInstanceOf(ShiroException.class)
+        .hasCauseInstanceOf(AuthenticationException.class)
         .hasMessageContaining("Authentication error. Please check your 
credentials");
   }
 
diff --git 
a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt 
b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
index 8bd2ba84dc..e08f8880d8 100644
--- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
+++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -56,7 +56,7 @@ jakarta.enterprise.cdi-api-4.0.1.jar
 jakarta.interceptor-api-2.1.0.jar
 jakarta.annotation-api-2.1.1.jar
 jakarta.transaction-api-2.0.1.jar
-shiro-core-1.13.0.jar
+shiro-core-2.1.0.jar
 jgroups-3.6.20.Final.jar
 commons-validator-1.7.jar
 fastutil-8.5.8.jar
@@ -82,7 +82,7 @@ lucene-analysis-common-9.12.3.jar
 lucene-queryparser-9.12.3.jar
 lucene-queries-9.12.3.jar
 lucene-core-9.12.3.jar
-shiro-config-ogdl-1.13.0.jar
+shiro-config-ogdl-2.1.0.jar
 commons-beanutils-1.11.0.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -98,13 +98,13 @@ jetty-session-12.0.33.jar
 jetty-plus-12.0.33.jar
 jetty-security-12.0.33.jar
 jetty-server-12.0.33.jar
-shiro-cache-1.13.0.jar
-shiro-crypto-hash-1.13.0.jar
-shiro-crypto-cipher-1.13.0.jar
-shiro-config-core-1.13.0.jar
-shiro-event-1.13.0.jar
-shiro-crypto-core-1.13.0.jar
-shiro-lang-1.13.0.jar
+shiro-cache-2.1.0.jar
+shiro-crypto-hash-2.1.0.jar
+shiro-crypto-cipher-2.1.0.jar
+shiro-config-core-2.1.0.jar
+shiro-event-2.1.0.jar
+shiro-crypto-core-2.1.0.jar
+shiro-lang-2.1.0.jar
 jetty-xml-12.0.33.jar
 jetty-http-12.0.33.jar
 jetty-io-12.0.33.jar
@@ -140,3 +140,6 @@ jakarta.inject-api-2.0.1.jar
 jakarta.validation-api-3.0.2.jar
 jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
+shiro-hashes-argon2-2.1.0.jar
+shiro-hashes-bcrypt-2.1.0.jar
+bcprov-jdk18on-1.82.jar

(geode) branch develop updated: GEODE-10559: Introduction of Security Realm to Security Manager (CVE-2026-23903 remediation) (#7986)

Reply via email to