GEODE-10559: Introduction of Security Realm to Security Manager (CVE-2026-23903 remediation) (#7986)

JinwooHwang · JinwooHwang · commit 1f9e9291fbcb · 2026-03-12T06:13:26.000-04:00
* GEODE-10559: Upgrade Apache Shiro to 2.1.0; migrate APIs (CVE-2026-23903) * GEODE-10559: update integration test resources after Shiro 2.1.0 bump * Build an IniRealm * include shiro * remove shiro * remove shiro * Fix integration test snapshot: remove spurious logback-core entry
diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -49,7 +49,7 @@ class DependencyConstraints {
     deps.put("log4j.version", "2.25.3")
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
-    deps.put("shiro.version", "1.13.0")
+    deps.put("shiro.version", "2.1.0")
     deps.put("slf4j-api.version", "2.0.17")
     deps.put("jakarta.transaction-api.version", "2.0.1")
     deps.put("jboss-modules.version", "1.11.0.Final")
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt
diff --git a/geode-assembly/src/integrationTest/resources/expected_jars.txt b/geode-assembly/src/integrationTest/resources/expected_jars.txt
@@ -9,6 +9,7 @@ antlr-runtime
 asm
 asm-commons
 asm-tree
+bcprov-jdk18on
 classgraph
 classmate
 commons-beanutils
@@ -108,6 +109,8 @@ shiro-crypto-cipher
 shiro-crypto-core
 shiro-crypto-hash
 shiro-event
+shiro-hashes-argon
+shiro-hashes-bcrypt
 shiro-lang
 slf4j-api
 snakeyaml
diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -66,8 +66,8 @@ HikariCP-4.0.3.jar
 antlr-2.7.7.jar
 istack-commons-runtime-4.1.1.jar
 commons-validator-1.7.jar
-shiro-core-1.13.0.jar
-shiro-config-ogdl-1.13.0.jar
+shiro-core-2.1.0.jar
+shiro-config-ogdl-2.1.0.jar
 commons-beanutils-1.11.0.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -98,13 +98,15 @@ jetty-security-12.0.33.jar
 jetty-server-12.0.33.jar
 snappy-0.5.jar
 jgroups-3.6.20.Final.jar
-shiro-cache-1.13.0.jar
-shiro-crypto-hash-1.13.0.jar
-shiro-crypto-cipher-1.13.0.jar
-shiro-config-core-1.13.0.jar
-shiro-event-1.13.0.jar
-shiro-crypto-core-1.13.0.jar
-shiro-lang-1.13.0.jar
+shiro-cache-2.1.0.jar
+shiro-crypto-hash-2.1.0.jar
+shiro-crypto-cipher-2.1.0.jar
+shiro-config-core-2.1.0.jar
+shiro-event-2.1.0.jar
+shiro-crypto-core-2.1.0.jar
+shiro-lang-2.1.0.jar
+shiro-hashes-argon2-2.1.0.jar
+shiro-hashes-bcrypt-2.1.0.jar
 jetty-xml-12.0.33.jar
 jetty-http-12.0.33.jar
 jetty-io-12.0.33.jar
@@ -140,3 +142,4 @@ jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
 jakarta.el-api-5.0.0.jar
 jakarta.inject-api-2.0.1.jar
+bcprov-jdk18on-1.82.jar
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
@@ -28,8 +28,10 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.support.SubjectThreadState;
@@ -173,7 +175,7 @@ public Subject login(final Properties credentials) {
       currentUser.login(token);
     } catch (UnavailableSecurityManagerException e) {
       throw new CacheClosedException("Cache is closed.");
-    } catch (ShiroException e) {
+    } catch (AuthenticationException | ConfigurationException e) {
       logger.info("error logging in: " + token.getPrincipal());
       Throwable cause = e.getCause();
       if (cause == null) {
@@ -199,7 +201,7 @@ public void logout() {
     try {
       logger.debug("Logging out " + currentUser.getPrincipal());
       currentUser.logout();
-    } catch (ShiroException e) {
+    } catch (AuthenticationException e) {
       logger.info("error logging out: " + currentUser.getPrincipal());
       throw new GemFireSecurityException(e.getMessage(), e);
     }
@@ -286,7 +288,7 @@ public void authorize(ResourcePermission context, Subject currentUser) {
 
     try {
       currentUser.checkPermission(context);
-    } catch (ShiroException e) {
+    } catch (AuthorizationException e) {
       String message = currentUser.getPrincipal() + " not authorized for " + context;
       logger.info("NotAuthorizedException: {}", message);
       throw new NotAuthorizedException(message, e);
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
@@ -18,6 +18,7 @@
 import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_PEER_AUTHENTICATOR;
 import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_SHIRO_INIT;
 
+import java.lang.reflect.Method;
 import java.util.Properties;
 
 import org.apache.commons.lang3.StringUtils;
@@ -88,9 +89,20 @@ public static SecurityService create(Properties securityProps,
 
   private static boolean isShiroInUse() {
     // Don't import Shiro otherwise clients must include on classpath
+    // Use reflective lookup without initializing the class and be defensive about
+    // ClassNotFound/NoClassDef/Linkage errors which can occur when the webapp
+    // classloader does not provide Shiro runtime. If any such error occurs,
+    // treat Shiro as not in use to avoid hard failures during webapp startup.
     try {
-      return null != Class.forName("org.apache.shiro.SecurityUtils").getMethod("getSecurityManager")
-          .invoke(null);
+      ClassLoader cl = Thread.currentThread().getContextClassLoader();
+      Class<?> securityUtils = Class.forName("org.apache.shiro.SecurityUtils", false, cl);
+      Method getSecurityManager = securityUtils.getMethod("getSecurityManager");
+      Object sm = getSecurityManager.invoke(null);
+      return sm != null;
+    } catch (ClassNotFoundException e) {
+      return false;
+    } catch (LinkageError e) {
+      return false;
     } catch (Exception e) {
       return false;
     }
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/SecurityManagerProvider.java
@@ -19,9 +19,9 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.config.Ini;
-import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.mgt.DefaultSecurityManager;
 import org.apache.shiro.realm.Realm;
+import org.apache.shiro.realm.text.IniRealm;
 import org.apache.shiro.session.mgt.DefaultSessionManager;
 import org.apache.shiro.session.mgt.SessionManager;
 
@@ -41,14 +41,43 @@ public SecurityManagerProvider() {
   public SecurityManagerProvider(String shiroConfig) {
     securityManager = null;
 
-    IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:" + shiroConfig);
-    // we will need to make sure that shiro uses a case sensitive permission resolver
-    Ini.Section main = factory.getIni().addSection("main");
+    // Shiro 2.1.0: IniSecurityManagerFactory is removed. Use Ini and DefaultSecurityManager
+    // directly. Create an IniRealm from the Ini so realms are properly configured.
+    Ini ini = new Ini();
+    ini.loadFromPath("classpath:" + shiroConfig);
+    Ini.Section main = ini.getSection("main");
+    if (main == null) {
+      main = ini.addSection("main");
+    }
     main.put("geodePermissionResolver", GeodePermissionResolver.class.getName());
     if (!main.containsKey("iniRealm.permissionResolver")) {
       main.put("iniRealm.permissionResolver", "$geodePermissionResolver");
     }
-    shiroManager = factory.getInstance();
+
+    // Build an IniRealm from the loaded Ini and set GeodePermissionResolver explicitly.
+    // Create the realm first, set the GeodePermissionResolver, then attach the Ini
+    // so the realm parses roles/permissions using our resolver.
+    IniRealm iniRealm = new IniRealm();
+    iniRealm.setPermissionResolver(new GeodePermissionResolver());
+    iniRealm.setIni(ini);
+    // If the realm exposes an init method, ensure it is initialized (defensive).
+    try {
+      java.lang.reflect.Method init = iniRealm.getClass().getMethod("init");
+      if (init != null) {
+        init.invoke(iniRealm);
+      }
+    } catch (Throwable t) {
+      // Not critical if method is absent or invocation fails, but log for diagnostics.
+      logger.debug("IniRealm init invocation failed; continuing without init", t);
+    }
+
+    // Create a DefaultSecurityManager backed by the IniRealm so realms exist.
+    shiroManager = new DefaultSecurityManager((Realm) iniRealm);
+
+    // try to increase global session timeout similar to other provider constructors
+    if (shiroManager instanceof DefaultSecurityManager) {
+      increaseShiroGlobalSessionTimeout((DefaultSecurityManager) shiroManager);
+    }
   }
 
 
diff --git a/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java b/geode-core/src/test/java/org/apache/geode/internal/InternalDataSerializerShiroAcceptListTest.java
@@ -25,15 +25,16 @@
 import java.io.IOException;
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authz.AuthorizationException;
-import org.apache.shiro.codec.CodecException;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.crypto.UnknownAlgorithmException;
 import org.apache.shiro.dao.InvalidResourceUsageException;
 import org.apache.shiro.env.RequiredTypeException;
-import org.apache.shiro.io.SerializationException;
+import org.apache.shiro.lang.ShiroException;
+import org.apache.shiro.lang.codec.CodecException;
+import org.apache.shiro.lang.io.SerializationException;
+import org.apache.shiro.lang.util.InstantiationException;
 import org.apache.shiro.ldap.UnsupportedAuthenticationMechanismException;
 import org.apache.shiro.session.SessionException;
 import org.apache.shiro.session.StoppedSessionException;
@@ -91,7 +92,7 @@ public void acceptsExecutionException() throws IOException, ClassNotFoundExcepti
 
   @Test
   public void acceptsInstantiationException() throws IOException, ClassNotFoundException {
-    trySerializingObject(new org.apache.shiro.util.InstantiationException("testing"),
+    trySerializingObject(new InstantiationException("testing"),
         propertiesWithoutFilter());
   }
 
diff --git a/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java b/geode-core/src/test/java/org/apache/geode/internal/security/IntegratedSecurityServiceTest.java
@@ -24,8 +24,8 @@
 
 import java.util.Properties;
 
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.SubjectContext;
@@ -53,7 +53,7 @@ public class IntegratedSecurityServiceTest {
   private org.apache.shiro.mgt.SecurityManager shiroManager;
 
   private IntegratedSecurityService securityService;
-  private ShiroException shiroException;
+  private AuthenticationException shiroException;
   private Properties properties;
 
   @Before
@@ -68,7 +68,7 @@ public void before() throws Exception {
     when(mockSubject.getPrincipal()).thenReturn("principal");
     when(mockSubject.getSession()).thenReturn(mock(Session.class));
 
-    shiroException = mock(ShiroException.class);
+    shiroException = mock(AuthenticationException.class);
     properties = new Properties();
 
     securityService = new IntegratedSecurityService(provider, null);
@@ -189,7 +189,7 @@ public void login_when_ShiroException_hasNoCause() throws Exception {
     doThrow(shiroException).when(mockSubject).login(any(GeodeAuthenticationToken.class));
     assertThatThrownBy(() -> securityService.login(properties))
         .isInstanceOf(AuthenticationFailedException.class)
-        .hasCauseInstanceOf(ShiroException.class)
+        .hasCauseInstanceOf(AuthenticationException.class)
         .hasMessageContaining("Authentication error. Please check your credentials");
   }
 
diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -56,7 +56,7 @@ jakarta.enterprise.cdi-api-4.0.1.jar
 jakarta.interceptor-api-2.1.0.jar
 jakarta.annotation-api-2.1.1.jar
 jakarta.transaction-api-2.0.1.jar
-shiro-core-1.13.0.jar
+shiro-core-2.1.0.jar
 jgroups-3.6.20.Final.jar
 commons-validator-1.7.jar
 fastutil-8.5.8.jar
@@ -82,7 +82,7 @@ lucene-analysis-common-9.12.3.jar
 lucene-queryparser-9.12.3.jar
 lucene-queries-9.12.3.jar
 lucene-core-9.12.3.jar
-shiro-config-ogdl-1.13.0.jar
+shiro-config-ogdl-2.1.0.jar
 commons-beanutils-1.11.0.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -98,13 +98,13 @@ jetty-session-12.0.33.jar
 jetty-plus-12.0.33.jar
 jetty-security-12.0.33.jar
 jetty-server-12.0.33.jar
-shiro-cache-1.13.0.jar
-shiro-crypto-hash-1.13.0.jar
-shiro-crypto-cipher-1.13.0.jar
-shiro-config-core-1.13.0.jar
-shiro-event-1.13.0.jar
-shiro-crypto-core-1.13.0.jar
-shiro-lang-1.13.0.jar
+shiro-cache-2.1.0.jar
+shiro-crypto-hash-2.1.0.jar
+shiro-crypto-cipher-2.1.0.jar
+shiro-config-core-2.1.0.jar
+shiro-event-2.1.0.jar
+shiro-crypto-core-2.1.0.jar
+shiro-lang-2.1.0.jar
 jetty-xml-12.0.33.jar
 jetty-http-12.0.33.jar
 jetty-io-12.0.33.jar
@@ -140,3 +140,6 @@ jakarta.inject-api-2.0.1.jar
 jakarta.validation-api-3.0.2.jar
 jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
+shiro-hashes-argon2-2.1.0.jar
+shiro-hashes-bcrypt-2.1.0.jar
+bcprov-jdk18on-1.82.jar
