Apache shiro 2.1 does not work properly in Tomcat 8 RC 5

The application works fine in tomcat 7.x but not in tomcat 8 RC5

I have an Apache wicket application where I have configured Apache Shiro 2.1 with JDBC realm. After the application logs in, on the home page i access the the username from the Shiro API with this


this gives an null pointer exception in Apache 8 RC5. Also it seems the application bypasses the apache shiro servlet all together and directly goes to the Homepage, whereas it should go to the login page.

The same works fine in Apache 7.x.

I have tried various configuration options in Shiro INI to fix this , but none of them worked.

my Web.xml looks like this

<?xml version="1.0" encoding="UTF-8"?>"> Customeric



        <param-name>ExpiresByType image</param-name>
        <param-value>access plus 1 years</param-value>
        <param-name>ExpiresByType text/css</param-name>
        <param-value>access plus 1 years</param-value>
        <param-name>ExpiresByType application/javascript</param-name>
        <param-value>access plus 10 years</param-value>

<!--    <filter>

<!--    <filter-mapping>

    <description>DB Connection</description>





and my apache shiro ini looks like this


            jdbcRealm.authenticationQuery = select password, salt from users where username = ?
            jdbcRealm.userRolesQuery = select rolename from roles left outer join users_roles on = users_roles.roles_id left outer join users on = users_roles.users_id where users.username = ?
            jdbcRealm.permissionsQuery = select permission from permissions left outer join roles_permissions on = roles_permissions.permissions_id left outer join roles on = roles_permissions.roles_id where roles.rolename = ?

            securityManager.realms = $jdbcRealm

            authc.loginUrl = /app/login.jsp

            ds =  org.apache.tomcat.jdbc.pool.DataSource
            ds.driverClassName = org.apache.derby.jdbc.ClientDriver
            ds.username = test
            ds.password = test                
            ds.url = jdbc:derby://localhost:1527/testdb
            ds.maxActive = 20
            ds.minIdle = 10
            ds.minEvictableIdleTimeMillis = 1000 * 60 * 8
            ds.timeBetweenEvictionRunsMillis  = 1000 * 60 * 10
            ds.removeAbandoned = true
            ds.removeAbandonedTimeout = 600
            jdbcRealm.dataSource = $ds          

            # password hashing specification, put something big for hasIterations
            sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher

            jdbcRealm.credentialsMatcher = $sha256Matcher

            # *** ENABLE IN PRODUCTION ****               
            #cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
            #securityManager.cacheManager = $cacheManager

            /app/rest/mobile/** = authcBasic
            /app/rest/web/** = authc
            /app/** = authc

            #/* = authc,ssl[8181]                


  • Looks like it's been resolved with the latest Tomcat RC8