6

I am looking for frameworks/solution for authentication/ user-login management/ security in java web application that can make the naive developer's job easier/faster and make the application relatively more secured against potential threats.

As some people have suggested me to consider solutions like Spring Security & Apache Shiro, I wanted to know how does it go with JSF 2.0. Are there any downsides of using Shrino over Spring security for my case?

Any other better security solutions for JSF applications ?

Currently I'm using JSF 2.0(with Facelets) as the front-end development framework in my web application & it is backed by Cassandra, a NoSQL database.

Rajat Gupta
  • 25,853
  • 63
  • 179
  • 294

2 Answers2

7

Deluan Quintão has provided a good solution for Shiro and JSF that has been received well by the Shiro community:

http://techbeats.deluan.com/apache-shiro-tags-for-jsffacelets

Also note that Shiro can use Cassandra as a back-end to enable Servlet container-independent session clustering (You will need to write a CassandraSessionDAO and plug it in to Shiro's configuration). See http://shiro.apache.org/session-management.html for more.

halfer
  • 19,824
  • 17
  • 99
  • 186
Les Hazlewood
  • 18,480
  • 13
  • 68
  • 76
  • Thanks Les & especially for the great work! 1.) Is Deluan's patch compatible with JSF **2.0** (as I saw it for JSF 1.x on his blog). 2.) Also to ascertain compatibility, I am using *Primefaces*, a component library (similar to ICEFaces ) with JSF 2.0. 3.) Also I would like to know whether this work is going to be incorporated into the official releases in near-future ? Thanks :) – Rajat Gupta Jul 24 '11 at 18:53
  • 1
    Hi Raj - I'm not sure - you might want to ask Deluan if he'll update it for 2.0 and we can definitely talk about adding it in to Shiro proper. – Les Hazlewood Jul 25 '11 at 00:33
  • @Les Hazlewood: Hi Les, Thanks for the great work. Would you like to say something about when it is good to move from container based security to alternatives like shiro or others? See more focussed question here:http://stackoverflow.com/questions/7782720/when-to-move-from-container-managed-security-to-alternatives-like-apache-shiro – Rajat Gupta Oct 16 '11 at 06:36
  • There is already a JSF 2.0 compatible version of the library, available at https://github.com/deluan/shiro-faces – deluan Nov 10 '11 at 11:32
  • i think gonna use it with session stored in mongodb. – halil May 25 '12 at 09:53
0

If you can't use native form based authentication that is provided by your application server I would recommend you to use Apache Shiro, because it integrates well with the Java EE stack. Spring security is fine too, but if you plan to use JSF 2 you probably also use CDI (provided by Seam Weld, which is integrated into the Java EE 6 Profile from Glassfish and JBoss) it is easier to use Shiro, as Spring heavily relies on its own Dependency Injection methods, although Spring security does not need that much injected classes, but you should stick to one way of doing things.

iuiz
  • 957
  • 1
  • 10
  • 23