High level Java security framework

Question

What security framework do you use in your Java projects?

I used Spring Security and Apache Shiro and they both look immature.

Spring Security flaws:

no native support for permissions;
no ability to use explicitly in Java code (sometimes it's necessary);
too much focused on classic (non AJAX) web applications.

Apache Shiro flaws:

bugs in final release (like the problem with Spring integration);
no support for OpenID and some other widely used technologies;
performance issues reported.

There is also lack of documentation for both of them.

Maybe most of the real projects develop their own security frameworks?

Your question is way too vague IMHO.Which aspects are you interested in? — Cratylus, Jun 04 '11 at 20:53
Spring Security has roles, which can be used for "permission". And what does "no ability to use explicitly in Java code" mean? — matt b, Jun 04 '11 at 21:25
@user384706 I am interested in a framework which combines advantages of SS and Shiro like convenient permission model and OpenID support and doesn't have their flaws described. — Andrey Minogin, Jun 05 '11 at 06:13
@matt You answered to your first question yourself. You said: "roles which can be used for permission". There must be normal user-role-permission model, not "roles as permissions". At the moment SS support for permissions looks like this: write your own full-featured PermissionEvaluator and you have luck. — Andrey Minogin, Jun 05 '11 at 06:30
@matt b "no ability to use explicitly in Java code" means that there's no such method as SecurityContext.hasPermission("add_contact") and even no SecurityContext.hasRole("manager"). See this: [link]http://stackoverflow.com/questions/3021200/how-to-check-hasrole-in-java-code-with-spring-security[/link] So, how do I create conditional security logic with SS? Of course I can write such methods myself but my question is: is there any security framework which has all the base stuff already? — Andrey Minogin, Jun 05 '11 at 06:33

score 16 · Accepted Answer · answered Jun 05 '11 at 19:24

16

As for Apache Shiro:

I'm not sure why you've listed the things you did:

Every project in the world has release bugs, without question. The big key here however is that Shiro's team is responsive and fixes them ASAP. This is not something to evaluate a framework on, otherwise you'd eliminate every framework, including any you write yourself.
OpenID support will be released shortly in Shiro 1.2 - maybe a month out?.
What performance issues? No one has ever reported performance issues to the dev list, especially since the caching support in Shiro is broad and first-class. Without clarifications or references, this comes across as FUD.
Documentation now is really good actually - some of the best in Open Source that I've seen lately (it was re-worked 2 weeks ago). Do you have specific examples of where it falls short for you?

I'd love to help, but your concerns are generalizations that aren't supported by references or concrete examples. Maybe you could represent specific things that your project needs that you've fail to accomplish thus far?

Apache Shiro continues to be the most flexible and easiest to understand security framework for Java and JVM languages there is - I doubt you'll find better.

But, above all, and I mean this with all sincerity, please don't write your own security framework unless you plan on putting a ridiculous amount of time into it. Nearly every company I've ever seen that tries to do this themselves fails miserably. It is really hard to get 'right' (and secure). Trust me - after writing one for 8 years, that's one thing I'm absolutely sure of :)

Anyway, feel free to join the Shiro user list and you're sure to find that the community is happy and willing to work through whatever issues you may have. You'll find that we take care of the people that ask questions and do our best to help out.

HTH!

answered Jun 05 '11 at 19:24

Les Hazlewood

18,480
13
68
76

Hello Les. Thanks for your answer. No way I want to say Shiro is bad. I really like Shiro's model but I wasn't sure if it is mature enough so I asked about anyone's experience with Shiro. It seems that SS is more popular at the moment (much more references on SS). – Andrey Minogin Jun 06 '11 at 09:09
Regarding your questions: 1. When I tried to integrate Shiro with Spring using documentation from your site I've run into problem that my annotated transactions were disabled by that configuration. 2. It is good if you plan to add support for OpenID and other useful features. 3. Hmmm... there was someone's answer about performance problems with Shiro on high loaded site, but I can't find it now. Didn't you deleted it? (just kidding) – Andrey Minogin Jun 06 '11 at 09:19
4. There seems to be little documentation on configuring Realms. May be that's only me who has problems with that, but the configuration is not obvious. – Andrey Minogin Jun 06 '11 at 09:22
@Andrey: 1. We haven't heard that before - if you're up to opening a Jira issue, we'll handle it! 4. http://shiro.apache.org/realm.html ("Realm Configuration"). They're configured like any other pojo. But what more could we do to make it better/easier? I'm happy to help! Anyway, I think you'll find the Shiro community and dev team _very_ accommodating. That and the easy API is what makes us a great choice ;) – Les Hazlewood Jun 10 '11 at 18:18
The month for releasing openId has turned into a year. How close is openId and OAuth? Both issues show 1 month with no commits – Dennis Jun 12 '12 at 23:15
OpenID not out 18 months from expected release. Just about to implement a SOME security system.I find Shiro's BASIC Resources approach is superior to Spring Security. For most of us, an ACL is overkill, complex, slow when scaled up. I think a subset of an ACL, RBACs, are as useful, faster, easier to understand/configure. A hybrid system with string||binary permissions, is fast, easy to use, and similarto Shiro. Resource based access control and storing the permissions in the data. http://www.xaprb.com/blog/2006/08/16/how-to-build-role-based-access-control-in-sql/. Until OpenId and OAuth, Sigh – Dennis Dec 28 '12 at 01:39

score 3 · Answer 2 · answered Jun 05 '11 at 00:59

3

My current projects use SpringSecurity and involve doing all three things you claim to be flaws in SpringSecurity:

The projects implement fine-grained access rules that go beyond simple ROLEs, and variously involve state of domain objects, extra request parameters, and so on. These are implemented using custom "access policy objects" that get called within my MVC controllers. However, access check failures are handed back to SpringSecurity by throwing the relevant exception. (These could have been implemented as standard SpringSecurity method-level interceptors, but the checks typically involve examining domain objects.)
The projects support both web and AJAX access, and deal with access failures differently for the two cases. This is done by writing some custom Authentication entrypoint components for SpringSecurity that choose between different authentication behaviors depending on the request URL, etc.

In other words, it can be done ...

Having said that, I agree with you on a couple of points:

It is not easy to wire this up kind of thing. I kept on running into roadblocks when using the <http> element and its associated configurer. Like ... you want it to use a different version of component X. But to do that you have to replace Y, Z, P and Q as well.
The documentation is really sparse, and not helpful if you are trying to do something out of the ordinary.

answered Jun 05 '11 at 00:59

Stephen C

698,415
94
811
1,216

@Stephen C Well that's what we have with SS - necessity to write a lot of code by ourselves. – Andrey Minogin Jun 05 '11 at 06:44
@Andrey - not a lot. I've got ~2.3k lines of SS-related Java code, but it is mostly to do with implementing Shibboleth, OpenId, a custom SSO scheme and hybrid login schemes. I'd have orders of magnitude more security, authentication & access control code if I had to implement it all myself. – Stephen C Jun 05 '11 at 07:48
1

@Stephen C Thanks for your answer! Did you ever try Shiro? I have a feeling that while Shiro looks very interesting it is not as mature and well supported as SS. – Andrey Minogin Jun 05 '11 at 07:52
@Andrey - the other point is that inevitable that you will need to write your own code to implement conditional (e.g. object state dependent) access control schemes. – Stephen C Jun 05 '11 at 07:55
@Andry - no I haven't. I'm committed to SS, for better or worse. – Stephen C Jun 05 '11 at 07:56
1

@Andrey - Shiro has been around for 3 years in the Apache organization and for 5 years before that, known as JSecurity. It is most definitely mature, and it is even professionally supported by Katasoft: http://www.katasoft.com HTH! – Les Hazlewood Jun 06 '11 at 06:36

score 1 · Answer 3 · answered Apr 01 '15 at 05:30

Andrey, I think this answer comes too late to be helpful to you; it is intended for those who land on this thread later and I hope it helps.

My company recently released as open source, OACC, an advanced Java Application Security Framework. OACC is designed for systems that require up to object-level security granularity.

OACC provides a high performance API that provides permission based authorization services. In a nutshell, OACC allows your application to enforce security by answering the question: Is entity ‘A’ allowed to perform action ‘p’ on entity ‘B’?

One of the key abstractions in OACC is a resource. A resource serves as the placeholder in OACC for the object in the application domain that needs to be secured. Both the actors (e.g. users, processes) and the objects being secured (e.g. documents, servers) are represented as resources in OACC. The application domain objects that are actors, or are secured, simply store the resource id to the associated resource.

The resource abstraction allows OACC, unlike other major security frameworks, to provide a rich API that manages permissions between resources. OACC persists security relationships in RDBMS tables (DB2, Oracle, MS-SQLServer and PostgreSQL are currently supported).

For more information please check out the project website: http://oaccframework.org

score -2 · Answer 4 · answered Jun 04 '11 at 23:19

We use a layered security in one of our projects. The layers are the following:

HTTPS as protocol (Apache-AJCConnectors-TomcatServlets)
Only binary objects transferred between client and servlet
Individual elements in the passed objects (either way) are encrypted
Encryption key is dynamic, set up during initial handshaking, valid for 1 session

Conceptually, the security consists of the encryption key, encryption algorithm and the data on which it is applied. We make sure that more than 1 of the 3 is never passed simultaneously during a communication. Hope that helps. Regards, - M.S.

My question is about HIGH LEVEL security framework not the encryption. High level security framework is the one which lets manage roles and permissions checks. — Andrey Minogin, Jun 05 '11 at 06:35

High level Java security framework

4 Answers4