diff --git a/pom.xml b/pom.xml
index b8eb2eb..12d7a2c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -13,7 +13,7 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <shiro.version>1.13.0</shiro.version>
+    <shiro.version>2.0.5</shiro.version>
   </properties>
 
   <repositories>
@@ -88,11 +88,13 @@
       <groupId>org.apache.shiro</groupId>
       <artifactId>shiro-core</artifactId>
       <version>${shiro.version}</version>
+        <classifier>jakarta</classifier>
     </dependency>
     <dependency>
       <groupId>org.apache.shiro</groupId>
       <artifactId>shiro-web</artifactId>
       <version>${shiro.version}</version>
+        <classifier>jakarta</classifier>
     </dependency>
 
     <dependency>
diff --git a/src/main/java/com/epimorphics/appbase/security/AppRealm.java b/src/main/java/com/epimorphics/appbase/security/AppRealm.java
index ea438e3..f5be5a0 100644
--- a/src/main/java/com/epimorphics/appbase/security/AppRealm.java
+++ b/src/main/java/com/epimorphics/appbase/security/AppRealm.java
@@ -18,6 +18,8 @@
 import org.apache.shiro.authc.IncorrectCredentialsException;
 import org.apache.shiro.authc.SaltedAuthenticationInfo;
 import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.credential.CredentialsMatcher;
+import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.cache.Cache;
@@ -52,8 +54,8 @@ public static AppRealm getRealm() {
     public AppRealm() {
         setCredentialsMatcher( new AppRealmCredentialsMatcher() );
         DefaultHashService hashing = new DefaultHashService();
-        hashing.setHashAlgorithmName( DEFAULT_ALGORITHM );
-        hashing.setHashIterations( DEFAULT_ITERATIONS );
+        hashing.setDefaultAlgorithmName( DEFAULT_ALGORITHM );
+        // hashing.setHashIterations( DEFAULT_ITERATIONS );
         hashService = hashing;
     }
 
@@ -62,8 +64,19 @@ public AppRealm() {
      * Must be set before any new credentials (including bootstrap ones) are hashed.
      */
     public void setHashIterations(int iterations) {
-        ((DefaultHashService) hashService).setHashIterations(iterations);
-        ((AppRealmCredentialsMatcher)getCredentialsMatcher()).setHashIterations(iterations);
+        CredentialsMatcher cm = getCredentialsMatcher();
+        if (cm instanceof HashedCredentialsMatcher hcm) {
+            hcm.setHashIterations(iterations);
+        }
+    }
+
+    public int getHashIterations() {
+        CredentialsMatcher cm = getCredentialsMatcher();
+        if (cm instanceof HashedCredentialsMatcher hcm) {
+            return hcm.getHashIterations();
+        } else {
+            return 0;
+        }
     }
 
     /**
diff --git a/src/main/java/com/epimorphics/appbase/security/BaseUserStore.java b/src/main/java/com/epimorphics/appbase/security/BaseUserStore.java
index bfcd310..37af97e 100644
--- a/src/main/java/com/epimorphics/appbase/security/BaseUserStore.java
+++ b/src/main/java/com/epimorphics/appbase/security/BaseUserStore.java
@@ -31,11 +31,11 @@
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.SaltedAuthenticationInfo;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
-import org.apache.shiro.codec.Hex;
+import org.apache.shiro.lang.codec.Hex;
 import org.apache.shiro.crypto.SecureRandomNumberGenerator;
 import org.apache.shiro.crypto.hash.Hash;
 import org.apache.shiro.crypto.hash.HashRequest;
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -305,6 +305,7 @@ public void setPassword(ByteSource password, long minstolive) {
         HashRequest request = new HashRequest.Builder()
             .setSource(password)
             .setSalt( getSalt() )
+            .addParameter("SimpleHash.iterations", realm.getHashIterations())
             .build();
         Hash hash = realm.getHashService().computeHash(request);
         this.password = hash.toHex();
diff --git a/src/main/java/com/epimorphics/appbase/security/DBUserStore.java b/src/main/java/com/epimorphics/appbase/security/DBUserStore.java
index abb04d1..fbe5a20 100644
--- a/src/main/java/com/epimorphics/appbase/security/DBUserStore.java
+++ b/src/main/java/com/epimorphics/appbase/security/DBUserStore.java
@@ -33,8 +33,9 @@
 import java.util.List;
 import java.util.Set;
 
+import org.apache.jena.atlas.web.TypedInputStream;
 import org.apache.jena.riot.system.stream.StreamManager;
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -81,8 +82,10 @@ protected boolean initstore() {
 
             if (!exists) {
                 startTransaction();
-                String schema  = FileManager.get().readWholeFileAsUTF8(DATABASE_SCHEMA);
-                Statement s = conn.createStatement();
+                String schema;
+                try (TypedInputStream input = StreamManager.get().open(DATABASE_SCHEMA)) {
+                    schema = new String(input.readAllBytes());
+                }                Statement s = conn.createStatement();
                 for (String statement : schema.split(";")) {
                     String sql = statement.trim();
                     if (!sql.isEmpty() && ! sql.startsWith("--")) {
diff --git a/src/main/java/com/epimorphics/appbase/security/Login.java b/src/main/java/com/epimorphics/appbase/security/Login.java
index eff14c9..5cfbe48 100644
--- a/src/main/java/com/epimorphics/appbase/security/Login.java
+++ b/src/main/java/com/epimorphics/appbase/security/Login.java
@@ -25,7 +25,7 @@
 
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
diff --git a/src/main/java/com/epimorphics/appbase/security/MemUserStore.java b/src/main/java/com/epimorphics/appbase/security/MemUserStore.java
index b40fd02..3ec7a21 100644
--- a/src/main/java/com/epimorphics/appbase/security/MemUserStore.java
+++ b/src/main/java/com/epimorphics/appbase/security/MemUserStore.java
@@ -30,7 +30,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 
 
 /**
diff --git a/src/main/java/com/epimorphics/appbase/security/UserStore.java b/src/main/java/com/epimorphics/appbase/security/UserStore.java
index e6c7629..463e699 100644
--- a/src/main/java/com/epimorphics/appbase/security/UserStore.java
+++ b/src/main/java/com/epimorphics/appbase/security/UserStore.java
@@ -25,7 +25,7 @@
 import java.util.Set;
 
 import org.apache.shiro.authc.SaltedAuthenticationInfo;
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 
 /**
  * Interface abstraction for the store of registered users. The actual
diff --git a/src/test/java/com/epimorphics/appbase/security/TestUserStores.java b/src/test/java/com/epimorphics/appbase/security/TestUserStores.java
index 52069de..70a9ae0 100644
--- a/src/test/java/com/epimorphics/appbase/security/TestUserStores.java
+++ b/src/test/java/com/epimorphics/appbase/security/TestUserStores.java
@@ -15,7 +15,7 @@
 import java.util.Set;
 
 import org.apache.shiro.authc.SaltedAuthenticationInfo;
-import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.lang.util.ByteSource;
 import org.junit.jupiter.api.Test;
 
 import com.epimorphics.appbase.security.BaseUserStore.UserRecord;