Deprecated List (Apache Shiro 1.5.2 API)

Classes
Class	Description
org.apache.shiro.authc.credential.Md2CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.authc.credential.Md5CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.authc.credential.Sha1CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.authc.credential.Sha256CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.authc.credential.Sha384CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.authc.credential.Sha512CredentialsMatcher	since 1.1 - use the HashedCredentialsMatcher directly and set its `hashAlgorithmName` property.
org.apache.shiro.cas.CasFilter	replaced with Shiro integration in buji-pac4j.
org.apache.shiro.cas.CasRealm	replaced with Shiro integration in buji-pac4j.
org.apache.shiro.cas.CasSubjectFactory	replaced with Shiro integration in buji-pac4j.
org.apache.shiro.cas.CasToken	replaced with Shiro integration in buji-pac4j.
org.apache.shiro.config.IniFactorySupport	use Shiro's `Environment` mechanisms instead.
org.apache.shiro.config.IniSecurityManagerFactory	use Shiro's `Environment` mechanisms instead.
org.apache.shiro.crypto.hash.AbstractHash	in Shiro 1.1 in favor of using the concrete `SimpleHash` implementation directly.
org.apache.shiro.realm.ldap.DefaultLdapContextFactory	replaced by the `JndiLdapContextFactory` implementation. This implementation will be removed prior to Shiro 2.0
org.apache.shiro.realm.ldap.JndiLdapRealm	Renamed to `DefaultLdapRealm`, this class will be removed prior to 2.0
org.apache.shiro.util.JavaEnvironment	This class is no longer used in Shiro and will be removed in the next major version.
org.apache.shiro.web.config.WebIniSecurityManagerFactory	use Shiro's `Environment` mechanisms instead.
org.apache.shiro.web.servlet.IniShiroFilter	in 1.2 in favor of using the `ShiroFilter`

Exceptions
Exceptions Description

org.apache.shiro.cas.CasAuthenticationException
replaced with Shiro integration in buji-pac4j.

Fields
Field Description

org.apache.shiro.web.mgt.DefaultWebSecurityManager.HTTP_SESSION_MODE

org.apache.shiro.web.mgt.DefaultWebSecurityManager.NATIVE_SESSION_MODE

Methods
Method	Description
org.apache.shiro.authc.credential.HashedCredentialsMatcher.getSalt(AuthenticationToken)	since Shiro 1.1. Hash salting is now expected to be based on if the `AuthenticationInfo` returned from the `Realm` is a `SaltedAuthenticationInfo` instance and its `getCredentialsSalt()` method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the `Realm` does not return `SaltedAuthenticationInfo` instances, but it is highly recommended that `Realm` implementations that support hashed credentials start returning `SaltedAuthenticationInfo` instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.authc.credential.HashedCredentialsMatcher.isHashSalted()	since Shiro 1.1. Hash salting is now expected to be based on if the `AuthenticationInfo` returned from the `Realm` is a `SaltedAuthenticationInfo` instance and its `getCredentialsSalt()` method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the `Realm` does not return `SaltedAuthenticationInfo` instances, but it is highly recommended that `Realm` implementations that support hashed credentials start returning `SaltedAuthenticationInfo` instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.authc.credential.HashedCredentialsMatcher.setHashSalted(boolean)	since Shiro 1.1. Hash salting is now expected to be based on if the `AuthenticationInfo` returned from the `Realm` is a `SaltedAuthenticationInfo` instance and its `getCredentialsSalt()` method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the `Realm` does not return `SaltedAuthenticationInfo` instances, but it is highly recommended that `Realm` implementations that support hashed credentials start returning `SaltedAuthenticationInfo` instances as soon as possible. This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.
org.apache.shiro.guice.web.ShiroWebModule.addFilterChain(String, Key<? extends Filter>...)
org.apache.shiro.guice.web.ShiroWebModule.config(Key<T>, String)
org.apache.shiro.mgt.DefaultSecurityManager.bind(Subject)	in favor of `save(subject)`.
org.apache.shiro.mgt.DefaultSecurityManager.unbind(Subject)	in Shiro 1.2 in favor of `DefaultSecurityManager.delete(org.apache.shiro.subject.Subject)`
org.apache.shiro.mgt.DefaultSubjectFactory.newSubjectInstance(PrincipalCollection, boolean, String, Session, SecurityManager)	since 1.2 - override `DefaultSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)` directly if you need to instantiate a custom `Subject` class.
org.apache.shiro.realm.ldap.DefaultLdapContextFactory.getLdapContext(String, String)	the `DefaultLdapContextFactory.getLdapContext(Object, Object)` method should be used in all cases to ensure more than String principals and credentials can be used. Shiro no longer calls this method - it will be removed before the 2.0 release.
org.apache.shiro.realm.ldap.DefaultLdapContextFactory.setSearchBase(String)	this attribute existed, but was never used in Shiro 1.x. It will be removed prior to Shiro 2.0.
org.apache.shiro.realm.ldap.JndiLdapContextFactory.getLdapContext(String, String)	the `JndiLdapContextFactory.getLdapContext(Object, Object)` method should be used in all cases to ensure more than String principals and credentials can be used. Shiro no longer calls this method - it will be removed before the 2.0 release.
org.apache.shiro.realm.ldap.LdapContextFactory.getLdapContext(String, String)	the `LdapContextFactory.getLdapContext(Object, Object)` method should be used in all cases to ensure more than String principals and credentials can be used.
org.apache.shiro.util.CollectionUtils.isEmpty(PrincipalCollection)	Use PrincipalCollection.isEmpty() directly.
org.apache.shiro.web.env.EnvironmentLoader.determineWebEnvironmentClass(ServletContext)	This method is not longer used by Shiro, and will be removed in future versions, use `EnvironmentLoader.determineWebEnvironment(ServletContext)` or `EnvironmentLoader.determineWebEnvironment(ServletContext)`
org.apache.shiro.web.mgt.DefaultWebSecurityManager.getSessionMode()
org.apache.shiro.web.mgt.DefaultWebSecurityManager.setSessionMode(String)	since 1.2
org.apache.shiro.web.mgt.DefaultWebSubjectFactory.newSubjectInstance(PrincipalCollection, boolean, String, Session, ServletRequest, ServletResponse, SecurityManager)	since 1.2 - override `DefaultWebSubjectFactory.createSubject(org.apache.shiro.subject.SubjectContext)` directly if you need to instantiate a custom `Subject` class.
org.apache.shiro.web.servlet.OncePerRequestFilter.shouldNotFilter(ServletRequest)	in favor of overriding `OncePerRequestFilter.isEnabled(javax.servlet.ServletRequest, javax.servlet.ServletResponse)` for custom behavior. This method will be removed in Shiro 2.0.

Constructors
Constructor	Description
org.apache.shiro.UnavailableSecurityManagerException(String, Throwable)	This constructor is NOT used by Shiro directly, and will be removed in the future.