Reputation: 3644
What are the alternatives for Java authentication?
Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (@RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based).
Apache Shiro seems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.
Upvotes: 5
Views: 3235
Answers (3)
Reputation: 3644
Turns out Apache Shiro is actually a simpler and easier to learn solution than Spring security. And no stupid xml configuration is nice.
Upvotes: 8
Reputation: 67019
I don't see why Flex should authenticate anything, after all that is the client side. Whats stopping someone from decompiling your flash/flex?
For most people Apache Shiro is overkill and they just roll their own. Which isn't the best idea to be honest. I have seen a lot of horrible authentication systems over the years. Cookies are meant to keep track of the session for the client, why use anything else?
Edit: Use spring secuirty for authentication.
Upvotes: 0
Reputation: 31528
Spring Security is by far the best tool out there.
BlazeDS is no magic. It is ultimately just a call to the server over HTTP. The Blaze application is just a war file, and has traditional urls. So, to protect the services, you have to protect the urls in your web.xml / spring configuration files.
Essentially, read the documentation of Spring Security/JAAS, and substitute the jsps with the urls of your blaze services.
Spring Security also has support for Roles and authorization. It also has a remember-me functionality, but that absolutely uses cookies. You cannot have a remember-me functionality without cookies.
Regarding authentication, it is possible to pass the authentication token as a request parameter instead of a cookie. But cookies are recommended, and are a lot easier to get right.
And finally, security is pointless without using https. You absolutely must use https throughout your application if you care about security.
Upvotes: 0
Related Questions
- Do Authentication and Authorization frameworks for Java that support openId exist (except Spring security)?
- Any alternatives to JSPs for open-id authentication in java Spring web applications?
- Non-Java web application to authenticate against a Java servlet
- Authentication: its simplest form in Java EE 6
- Alternatives to spring-security in Java (spring)
- Windows Authentication for Java Based web applications, How to?
- Any library for authentication in a java web-app?
- Does Java have an equivalent to ASP.NET MVC's sample site - specifically with authentication?
- Authentication and authorization frameworks for java GUI applications
- Java options for web user authentication