Using Spring Security with EJB or Spring?

Question

I wanted to build an application based on Java EE 6, but the security mechanisms of Java EE are not sufficient and a pain to with for my needs. Spring Security seems the best way to secure my application. Now I wonder if Spring Security + EJB is a good combination or if I should be better use Spring only.

I need method interception, ACLs and possibly URL pattern access control. The main problem I see is to use EJB interception with Spring Security. It is a problem? What other areas could be problematic?

Would you prefer Spring Security + EJB or Spring Security + Spring (only)?

As skaffman said the real question is Java EE vs. Spring. There is a nice comparison from JBoss.

Answer 1

After having spent a lot of days trying to find a way to only uses springsecurity to secure the ejb, I've adopted kind of hybrid solution: JAAS + springsecurity.

The client uses JAAS to be authenticated to the ejb on the sever, I've created a custom JAAS LoginModule which delegates authentication to the springsecurity code.

EJBs to perform their logic use methods which are annotated with jsr250 annotations (RolesAllowed), and this part is fully handled by spring security.

In this way I've achieved a clear separation between ejb and spring security so my business code, secured by springsecurity, is fully portable to any other kind of ApplicationServer or it can even run as standalone application.

Answer 2

Spring Security is distinct from the Spring Framework. They work well together, but Spring Security does not require you to use the Spring Framework underneath.

So in a very real sense, it doesn't matter, it becomes a question of whether you prefer EJB3 or Spring, regardless of Spring Security.

Answer 3

I am not very familiar with EJB but my understanding has always been that it is essentially a data-access technology, or a way to distribute services.

Spring itself, and the Spring Security module, is designed to be very lightweight and unobtrusive. If you are building a web application and using Spring Security for logins/security, then it doesn't care or even know if you are using EJB vs JDBC vs remoting technologies etc.