apache · JinwooHwang · Feb 26, 2026
diff --git a/...y-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/...y-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -49,7 +49,7 @@ class DependencyConstraints {
     deps.put("log4j.version", "2.25.3")
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
-    deps.put("shiro.version", "1.13.0")
+    deps.put("shiro.version", "2.1.0")
     deps.put("slf4j-api.version", "2.0.17")
     deps.put("jakarta.transaction-api.version", "2.0.1")
     deps.put("jboss-modules.version", "1.11.0.Final")

diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
@@ -28,8 +28,10 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.support.SubjectThreadState;
@@ -173,7 +175,7 @@ public Subject login(final Properties credentials) {
       currentUser.login(token);
     } catch (UnavailableSecurityManagerException e) {
       throw new CacheClosedException("Cache is closed.");
-    } catch (ShiroException e) {
+    } catch (AuthenticationException | ConfigurationException e) {
       logger.info("error logging in: " + token.getPrincipal());
       Throwable cause = e.getCause();
       if (cause == null) {
@@ -199,7 +201,7 @@ public void logout() {
     try {
       logger.debug("Logging out " + currentUser.getPrincipal());
       currentUser.logout();
-    } catch (ShiroException e) {
+    } catch (AuthenticationException e) {
       logger.info("error logging out: " + currentUser.getPrincipal());
       throw new GemFireSecurityException(e.getMessage(), e);
     }
@@ -286,7 +288,7 @@ public void authorize(ResourcePermission context, Subject currentUser) {
 
     try {
       currentUser.checkPermission(context);
-    } catch (ShiroException e) {
+    } catch (AuthorizationException e) {
       String message = currentUser.getPrincipal() + " not authorized for " + context;
       logger.info("NotAuthorizedException: {}", message);
       throw new NotAuthorizedException(message, e);

diff --git a/...-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java b/...-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
@@ -19,7 +19,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.config.Ini;
-import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.mgt.DefaultSecurityManager;
 import org.apache.shiro.realm.Realm;
 import org.apache.shiro.session.mgt.DefaultSessionManager;
@@ -41,14 +40,20 @@ public SecurityManagerProvider() {
   public SecurityManagerProvider(String shiroConfig) {
     securityManager = null;
 
-    IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:" + shiroConfig);
-    // we will need to make sure that shiro uses a case sensitive permission resolver
-    Ini.Section main = factory.getIni().addSection("main");
+    // Shiro 2.1.0: IniSecurityManagerFactory is removed. Use Ini and DefaultSecurityManager
+    // directly.
+    Ini ini = new Ini();
+    ini.loadFromPath("classpath:" + shiroConfig);
+    Ini.Section main = ini.getSection("main");
+    if (main == null) {
+      main = ini.addSection("main");
+    }
     main.put("geodePermissionResolver", GeodePermissionResolver.class.getName());
     if (!main.containsKey("iniRealm.permissionResolver")) {
       main.put("iniRealm.permissionResolver", "$geodePermissionResolver");
     }
-    shiroManager = factory.getInstance();
+    // Shiro 2.1.0: create a DefaultSecurityManager
+    shiroManager = new DefaultSecurityManager();
   }
 
 

diff --git a/...re/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java b/...re/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
@@ -25,15 +25,16 @@
 import java.io.IOException;
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authz.AuthorizationException;
-import org.apache.shiro.codec.CodecException;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.crypto.UnknownAlgorithmException;
 import org.apache.shiro.dao.InvalidResourceUsageException;
 import org.apache.shiro.env.RequiredTypeException;
-import org.apache.shiro.io.SerializationException;
+import org.apache.shiro.lang.ShiroException;
+import org.apache.shiro.lang.codec.CodecException;
+import org.apache.shiro.lang.io.SerializationException;
+import org.apache.shiro.lang.util.InstantiationException;
 import org.apache.shiro.ldap.UnsupportedAuthenticationMechanismException;
 import org.apache.shiro.session.SessionException;
 import org.apache.shiro.session.StoppedSessionException;
@@ -91,7 +92,7 @@ public void acceptsExecutionException() throws IOException, ClassNotFoundExcepti
 
   @Test
   public void acceptsInstantiationException() throws IOException, ClassNotFoundException {
-    trySerializingObject(new org.apache.shiro.util.InstantiationException("testing"),
+    trySerializingObject(new InstantiationException("testing"),
         propertiesWithoutFilter());
   }
 

diff --git a/...-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java b/...-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
@@ -24,8 +24,8 @@
 
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.SubjectContext;
@@ -53,7 +53,7 @@ public class IntegratedSecurityServiceTest {
   private org.apache.shiro.mgt.SecurityManager shiroManager;
 
   private IntegratedSecurityService securityService;
-  private ShiroException shiroException;
+  private AuthenticationException shiroException;
   private Properties properties;
 
   @Before
@@ -68,7 +68,7 @@ public void before() throws Exception {
     when(mockSubject.getPrincipal()).thenReturn("principal");
     when(mockSubject.getSession()).thenReturn(mock(Session.class));
 
-    shiroException = mock(ShiroException.class);
+    shiroException = mock(AuthenticationException.class);
     properties = new Properties();
 
     securityService = new IntegratedSecurityService(provider, null);
@@ -189,7 +189,7 @@ public void login_when_ShiroException_hasNoCause() throws Exception {
     doThrow(shiroException).when(mockSubject).login(any(GeodeAuthenticationToken.class));
     assertThatThrownBy(() -> securityService.login(properties))
         .isInstanceOf(AuthenticationFailedException.class)
-        .hasCauseInstanceOf(ShiroException.class)
+        .hasCauseInstanceOf(AuthenticationException.class)
         .hasMessageContaining("Authentication error. Please check your credentials");
   }