14

I'm looking for a good security framework that allows to annotate parameter based access rules to methods.

Basicly i want to check if the authenticated user is allowed to call a certain method with a specific object as a parameter.

Spring security would serve my needs but because of this (spring forum) i'm looking for alternatives if i'm unable to get it to work.

Requirements:

  • method security based on config or annotations, i want to avoid puting my security code insite my service methods
  • rules are based on parameters of the methods, simple role based security is not enough
  • spring support out of the box is a plus

Any recommendations?

Community
  • 1
  • 1
Laures
  • 5,389
  • 11
  • 50
  • 76
  • 1
    If your existing application on Spring framework, then use the spring itself which makes sense. – Phani Apr 12 '12 at 13:48
  • what is the EJB way? @Phani as i wrote: spring security doesn't work in my application and it might be it never will. so i'm preparing for the worst and look for ALTERNATIVES – Laures Apr 12 '12 at 13:51
  • Then only approach is left for you is to use JAAS http://www.oracle.com/technetwork/java/javase/jaas/index.html – Phani Apr 12 '12 at 14:05
  • 2
    It makes me cringe to say it, but can you roll your own security check using a method interceptor and apply it accross your beans using AOP? – Craig Swing Apr 12 '12 at 15:30
  • @CraigSwing i feel with you there, but so far thats probably what i will do if everything fails with spring security. – Laures Apr 12 '12 at 15:46

1 Answers1

14

Apache Shiro stands in competition to Spring Security. Is easier, covers more. See here.

Joop Eggen
  • 107,315
  • 7
  • 83
  • 138
  • 2
    Two facts stated here, one correct, one wrong.[br]It looks a LOT easier and seems easier is true. Covers a lot more is probably wrong. It does not have Oauth OR OpenID yet. Can you say yahoo, facebook, amazon, Microsoft-Whatever, Twitter, Baidu, and up to 50 more of the top Identiy providers in the world . . . unavailable to be used?? – Dennis Jun 12 '12 at 23:39
  • @Dennis, Shiro can be used in a non-JEE, non web application to communicate with the web. What I find "more" and a refreshingly logical architectural approach. I was convinced that an OAuth plugin existed, but it might well be still alpha? Missing OpenId support is indeed a pitty. – Joop Eggen Jun 13 '12 at 09:37