10

Just a quick question regarding security frameworks in java.

To date JAAS has always been my go to framework. Yes people complain that it is very difficult to setup and it requires hooks into your underlying system but it does it's job and has the added bonus of being a specification.

That said I have been researching other security frameworks in Java lately and the two that seem to be getting the most attention online are :

1 - Spring Security

Spring Security seems to be insanely popular but I found it a bit convoluted to work with.

2 - Apache Shiro

Apache Shiro seems to be more straight forward than Spring Security, however it seems to lack some documentation.

So my question is, of the frameworks mentioned above do people think I should spend time learning Spring Security or Apache Shiro?

(Or should I just stick with JAAS?)

3 Answers3

7

Shiro is great if you want to use it in a mixture of web/non-web environments. It is highly customizable. We use it to do multi-tennant authorization and we also have some custom permission requirements we have implemented using shiro.

You can also create spring beans from almost every class in shiro as the code is setup very cleanly and is very usable with spring injection (or any other dependency injection framework I guess).

As dev mentions, the documentation is lacking. We did a lot of reading the source code to get our fixes, so if you want to do more advanced configuration, be aware that you'll have to dive into the source.

For simple setups, the standard documentation of shiro will help you in most cases.

Imho spring security is fine, but it doesnt have the flexibility shiro provides.

Wouter
  • 3,976
  • 2
  • 31
  • 50
  • I've started messing around with Shiro and hit a snag, any idea about the current issue I'm having - http://stackoverflow.com/questions/34637907/configure-shiro-ini-for-jdbc-connection –  Jan 06 '16 at 16:28
3

I personally use apache shiro as it is highly customizable using shiro.ini and extending prebuild classes. Also configuration is mearly a shiro.inin file with some entries in web.xml. It has good documentation from third persons like

http://meri-stuff.blogspot.in/2011/03/apache-shiro-part-1-basics.html

other parts link in same page.

It can be integrated with springs, guice, sso, etc so i go with it.

Dev
  • 6,628
  • 2
  • 25
  • 34
0

there is a fourth option.
In the mainstream web architecture, how to protect the restful api provided by the back-end through effective and fast authentication has become particularly important.

  1. For shiro, it does not natively support restful api.
  2. Spring security is deeply bound to the spring framework, and the learning curve is steep.

So we designed the sureness, we hope to provide a restful api, no framework dependency, can dynamically modify permissions, multiple authentication policies, faster, easy to use and extend security framework. welcome to use.

sureness - https://github.com/tomsun28/sureness

tom
  • 1
  • 3
  • 1
    Your only answers so far have been to promote what I assume is your own project, without stating that it is by you. Please be aware that this could be considered to be equivalent to spam if you continue to do this. – Kemp Feb 25 '21 at 15:23
  • @Kemp Sorry, I am a newcomer in answering questions. I will correct it later. – tom Feb 26 '21 at 00:57