Spring security vs Apache Shiro

Question

What I have researched so far most people are saying Apache Shiro is easy to use and easy to integrate with CAS (for SSO etc). Just to ask if anyone has experience using both of them and which one to use and why one is better than other?

Related: http://stackoverflow.com/questions/4991084/shiro-vs-springsecurity — AlikElzin-kilaka, Aug 07 '14 at 12:57

score 52 · Answer 1 · answered Jul 24 '12 at 18:37

52

Many of the Shiro developers use Spring for their applications, so Shiro works beautifully in Spring environments. The general feedback we've received thus far is that Shiro is also far easier to understand (for most people) than Spring Security.

If you want full Session clustering support across any web container however, only Shiro will support this easily. Shiro's crypto is also very simple/easy to use.

Choose which fits your mental model best - both will work great in Spring environments.

answered Jul 24 '12 at 18:37

Les Hazlewood

18,480
13
68
76

38

Agreed, Spring security's claim to fame has more to do with the Spring "brand" than anything. Taking a library (Acegi I believe) and changing the name to include "Spring" does not make it optimal. Everyone's grandma seems to have a project riding on the Spring bandwagon now. Rod came up with a few interesting concepts, that's nice. Then it grew into a typical behemoth and lost the simplicity and ease of use which was a former strength. Everything Spring touches isn't going to be an automatic win. That's more like religion than IT. – Mifune Oct 17 '12 at 20:18

NimChimpsky · Accepted Answer · 2013-11-04T08:51:52.107

41

I have recently had to evaluate both shiro and spring security. We went with spring security (in fact we extended spring security to use the shiro permission strings in a better way - with instance variables on annoations).

Spring Security

under active development.
has much more community support.
Spring security has extensions providing support for both Oauth and kerberos and SAML.

Shiro

Does not support saml or Oauth.
Makes no mention of supporting before and after security policies.
Active development seems limited, the website still contains erroneous information.

edited Nov 04 '13 at 08:51

answered Jul 16 '12 at 08:40

NimChimpsky

46,453
60
198
311

1

We are using spring framework. But, question is that what is best? spring security looks hard to implement and understand than apache Shiro? – Java SE Jul 16 '12 at 10:08
spring secruity is fine, if you have are using spring anyway go for it. – NimChimpsky Jul 16 '12 at 10:12
I think you are right. After looking at pros and cons of both technologies spring security is winner. – Java SE Jul 19 '12 at 14:54
23

Spring security is definitely harder to implement, configure, and understand. No doubt about it. Shiro was designed for simplicity, and works fine alongside with Spring. Ditch Spring Security unless you absolutely need it, why use a more complex solution when a simpler one works fine? (Job security?) – Mifune Oct 17 '12 at 20:15
@Mifune Job security/prospects would be a perfectly valid reason imho. But what about the reasons listed in my answer ? – NimChimpsky Nov 04 '13 at 08:57
Shiro has an option for SAML but defaults to CAS -https://shiro.apache.org/cas.html – Dev Apr 06 '17 at 12:20

score 16 · Answer 3 · edited Aug 03 '15 at 14:59

16

I have evaluated both Shiro and Spring security. The main advantage that people claim about Shiro is simplicity, but I believe that Spring Security (3.0) is not crazy complicated. It took me almost the same amount of lines of configuration to set up. Also Spring Security is much better documented than Shiro. But the main issue with Shiro it is that it doesn't support OAuth or Digest Authetication (they are planning to include it in the future https://issues.apache.org/jira/browse/SHIRO-20 ). My conclusion: Today I would go for spring security.

edited Aug 03 '15 at 14:59

mcgyver5

1,153
2
15
29

answered Mar 21 '14 at 15:50

DanieleDM

1,762
2
16
13

The bug you referenced is not about OAut but about Digest HTTP Authentication which is relict anyway. If you need OAuth, then here is the Shiro-Oauth module for you: https://github.com/FeedTheCoffers/shiro-oauth – vbg Apr 11 '16 at 13:30

score 3 · Answer 4 · answered May 05 '16 at 12:50

Shiro is better to use. Its code much simple which provides you flexibility to extend it and provide your custom behaviour wherever needed. It also provides internal cache implementation of Ehcache through which you can replicate session on server clusters. If you are going to design RBAC(Role based access control) system for your application it will provide you flexibility to handle asset level permission and its access control mechanism is much flexible as compared to spring security.

score -1 · Answer 5 · answered Mar 10 '17 at 15:17

Spring Security and Shiro both sets awesome with Spring framework. i have tested both of them . for me spring security was easy to integrate and is totally understandable according to developer points of view. and Shiro is also easy to integrate but for me Spring is more easy to integrate.

Spring security vs Apache Shiro

5 Answers5

Linked