bugfix: restored changes clobbered by previous merge

.github/workflows/codeql.yml

@@ -60,7 +60,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Cache local Maven repository
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 #v4.0.2
@@ -71,7 +71,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -85,7 +85,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -98,6 +98,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/maven.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Set up JDK
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
@@ -77,7 +77,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Set up JDK
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1

.github/workflows/scorecards.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # tag=v3.0.0
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v3.0.0
         with:
           persist-credentials: false
 
@@ -74,6 +74,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a #tag=v2
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 #tag=v2
         with:
           sarif_file: results.sarif

integration-tests/jakarta-ee/pom.xml

@@ -349,7 +349,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.3.0</version>
                 <configuration>
                     <executable>${project.build.directory}/dependency/payara5/bin/${asadmin.cmd}</executable>
                     <skip>${payara.start.skip}</skip>

integration-tests/jaxrs/tests/src/main/java/org/apache/shiro/testing/jaxrs/tests/AbstractShiroJaxRsIT.java

@@ -58,7 +58,7 @@ public void testGetUsersUnauthenticated() {
         final Response usersResponse = usersTarget.request(MediaType.APPLICATION_JSON_TYPE)
                 .buildGet()
                 .invoke();
-        assertEquals(Status.FORBIDDEN.getStatusCode(), usersResponse.getStatus());
+        assertEquals(Status.UNAUTHORIZED.getStatusCode(), usersResponse.getStatus());
     }
 
     @SuppressWarnings({"checkstyle:MagicNumber"})

pom.xml

@@ -91,7 +91,7 @@
         <commons.collection.version>3.2.2</commons.collection.version>
         <commons.configuration2.version>2.10.1</commons.configuration2.version>
         <commons.lang3.version>3.14.0</commons.lang3.version>
-        <commons.logging.version>1.3.1</commons.logging.version>
+        <commons.logging.version>1.3.2</commons.logging.version>
         <commons.text.version>1.8</commons.text.version>
         <!-- Don't change this version without also changing the shiro-ehcache and shiro-features
              modules' OSGi metadata: -->
@@ -110,7 +110,7 @@
         <quartz.docs.version>2.3.0</quartz.docs.version>
         <slf4j.version>2.0.13</slf4j.version>
         <log4j.version>2.23.1</log4j.version>
-        <spring.version>5.3.34</spring.version>
+        <spring.version>5.3.36</spring.version>
         <spring-boot.version>2.7.18</spring-boot.version>
         <guice.version>4.2.3</guice.version>
         <jaxrs.api.version>2.1.6</jaxrs.api.version>
@@ -119,8 +119,8 @@
 
         <!-- Test 3rd-party dependencies: -->
         <easymock.version>5.2.0</easymock.version>
-        <mockito.version>5.11.0</mockito.version>
-        <bytebuddy.version>1.14.15</bytebuddy.version>
+        <mockito.version>5.12.0</mockito.version>
+        <bytebuddy.version>1.14.16</bytebuddy.version>
         <gmaven.version>3.0.2</gmaven.version>
         <groovy.version>4.0.21</groovy.version>
         <junit.version>5.10.2</junit.version>
@@ -311,8 +311,6 @@
                             <link>https://docs.spring.io/spring/docs/${spring.version}/javadoc-api/</link>
                             <link>https://docs.spring.io/spring-boot/docs/${spring-boot.version}/api/</link>
                             <link>https://junit.org/junit5/docs/${junit.version}/api/</link>
-                            <link>https://easymock.org/api/</link>
-                            <link>https://javadoc.io/doc/org.mockito/mockito-core/${mockito.version}/org/mockito/Mockito.html</link>
                             <link>https://www.quartz-scheduler.org/api/${quartz.docs.version}/</link>
                         </links>
                     </configuration>
@@ -389,7 +387,7 @@
                 <plugin>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>build-helper-maven-plugin</artifactId>
-                    <version>3.5.0</version>
+                    <version>3.6.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.jacoco</groupId>
@@ -399,7 +397,7 @@
                 <plugin>
                     <groupId>com.mycila</groupId>
                     <artifactId>license-maven-plugin</artifactId>
-                    <version>4.4</version>
+                    <version>4.5</version>
                     <configuration>
                         <aggregate>true</aggregate>
                         <header>${root.dir}/src/license/header.txt</header>
@@ -433,7 +431,7 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>9.1.0</version>
+                    <version>9.2.0</version>
                 </plugin>
                 <plugin>
                     <groupId>com.github.siom79.japicmp</groupId>

samples/quickstart-guice/pom.xml

@@ -38,7 +38,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.3.0</version>
                 <executions>
                     <execution>
                         <goals>

samples/quickstart/pom.xml

@@ -40,7 +40,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.3.0</version>
                 <executions>
                     <execution>
                         <goals>

samples/spring-boot-3-web/pom.xml

@@ -35,9 +35,9 @@
 
     <properties>
         <module.name>samples.spring.boot3.web</module.name>
-        <spring-boot3.version>3.2.3</spring-boot3.version>
+        <spring-boot3.version>3.2.6</spring-boot3.version>
         <!--    below versions are not necessary in "real" applications -->
-        <spring.version>6.1.5</spring.version>
+        <spring.version>6.1.8</spring.version>
     </properties>
 
     <dependencies>

samples/spring/pom.xml

@@ -72,7 +72,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.3.0</version>
                 <configuration>
                     <mainClass>org.apache.shiro.samples.spring.CliApp</mainClass>
                 </configuration>

samples/web-jakarta/pom.xml

@@ -33,7 +33,7 @@
 
     <properties>
         <meecrowave.version>1.2.15</meecrowave.version>
-        <tomcat.version>10.1.23</tomcat.version>
+        <tomcat.version>10.1.24</tomcat.version>
         <jacoco.skip>true</jacoco.skip>
     </properties>
 

support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/UnauthenticatedExceptionExceptionMapper.java

@@ -29,7 +29,7 @@
 
 /**
  * JAX-RS exception mapper used to map Shiro {@link UnauthenticatedException} to HTTP status codes.
- * {@link UnauthenticatedException} will be mapped to 403.
+ * {@link UnauthenticatedException} will be mapped to 401.
  *
  * @since 1.4
  */
@@ -43,6 +43,6 @@ public Response toResponse(UnauthenticatedException exception) {
             LOG.debug("unauthenticated.", exception);
         }
 
-        return Response.status(Status.FORBIDDEN).build();
+        return Response.status(Status.UNAUTHORIZED).build();
     }
 }

support/jaxrs/src/main/java/org/apache/shiro/web/jaxrs/UnauthorizedExceptionExceptionMapper.java

@@ -29,7 +29,7 @@
 
 /**
  * JAX-RS exception mapper used to map Shiro {@link UnauthorizedException} to HTTP status codes.
- * {@link UnauthorizedException} will be mapped to 401.
+ * {@link UnauthorizedException} will be mapped to 403.
  *
  * @since 1.4
  */
@@ -41,9 +41,9 @@ public class UnauthorizedExceptionExceptionMapper implements ExceptionMapper<Una
     public Response toResponse(UnauthorizedException exception) {
 
         if (LOG.isDebugEnabled()) {
-            LOG.debug("unauthenticated.", exception);
+            LOG.debug("unauthorized.", exception);
         }
 
-        return Response.status(Status.UNAUTHORIZED).build();
+        return Response.status(Status.FORBIDDEN).build();
     }
 }

support/jaxrs/src/test/groovy/org/apache/shiro/web/jaxrs/UnauthorizedExceptionExceptionMapperTest.groovy

@@ -37,9 +37,9 @@ class UnauthorizedExceptionExceptionMapperTest {
 
     @Test
     void testUnauthorizedException() {
-        doTest(new UnauthorizedException("expected test exception."), Response.Status.UNAUTHORIZED, new UnauthorizedExceptionExceptionMapper())
-        doTest(new HostUnauthorizedException("expected test exception."), Response.Status.UNAUTHORIZED, new UnauthorizedExceptionExceptionMapper())
-        doTest(new UnauthenticatedException("expected test exception."), Response.Status.FORBIDDEN, new UnauthenticatedExceptionExceptionMapper())
+        doTest(new UnauthorizedException("expected test exception."), Response.Status.FORBIDDEN, new UnauthorizedExceptionExceptionMapper())
+        doTest(new HostUnauthorizedException("expected test exception."), Response.Status.FORBIDDEN, new UnauthorizedExceptionExceptionMapper())
+        doTest(new UnauthenticatedException("expected test exception."), Response.Status.UNAUTHORIZED, new UnauthenticatedExceptionExceptionMapper())
     }
 
     private static void doTest(AuthorizationException exception, Response.StatusType expectedStatus, ExceptionMapper<? extends Throwable> exceptionMapper) {