Reputation:
JAAS, Spring Security or Apache Shiro
Just a quick question regarding security frameworks in java.
To date JAAS has always been my go to framework. Yes people complain that it is very difficult to setup and it requires hooks into your underlying system but it does it's job and has the added bonus of being a specification.
That said I have been researching other security frameworks in Java lately and the two that seem to be getting the most attention online are :
1 - Spring Security
Spring Security seems to be insanely popular but I found it a bit convoluted to work with.
2 - Apache Shiro
Apache Shiro seems to be more straight forward than Spring Security, however it seems to lack some documentation.
So my question is, of the frameworks mentioned above do people think I should spend time learning Spring Security or Apache Shiro?
(Or should I just stick with JAAS?)
Upvotes: 11
Views: 9907
Answers (3)
Reputation: 1
there is a fourth option.
In the mainstream web architecture, how to protect the restful api provided by the back-end through effective and fast authentication has become particularly important.
- For shiro, it does not natively support restful api.
- Spring security is deeply bound to the spring framework, and the learning curve is steep.
So we designed the sureness, we hope to provide a restful api, no framework dependency, can dynamically modify permissions, multiple authentication policies, faster, easy to use and extend security framework. welcome to use.
sureness - https://github.com/tomsun28/sureness
Upvotes: 0
Reputation: 4016
Shiro is great if you want to use it in a mixture of web/non-web environments. It is highly customizable. We use it to do multi-tennant authorization and we also have some custom permission requirements we have implemented using shiro.
You can also create spring beans from almost every class in shiro as the code is setup very cleanly and is very usable with spring injection (or any other dependency injection framework I guess).
As dev mentions, the documentation is lacking. We did a lot of reading the source code to get our fixes, so if you want to do more advanced configuration, be aware that you'll have to dive into the source.
For simple setups, the standard documentation of shiro will help you in most cases.
Imho spring security is fine, but it doesnt have the flexibility shiro provides.
Upvotes: 8
Reputation: 6786
I personally use apache shiro as it is highly customizable using shiro.ini and extending prebuild classes. Also configuration is mearly a shiro.inin file with some entries in web.xml. It has good documentation from third persons like
http://meri-stuff.blogspot.in/2011/03/apache-shiro-part-1-basics.html
other parts link in same page.
It can be integrated with springs, guice, sso, etc so i go with it.
Upvotes: 3
Related Questions
- Difference between Role and GrantedAuthority in Spring Security
- Apache Shiro "with JSF 2.0" ! How does it go?
- Apache Shiro is breaking the CORS configuration of my Spring Boot RestAPI
- What are disadvantages of JAAS in comparison to Spring Security/Apache Shiro?
- Spring Security and Java EE 6 Integration
- Java EE Security: JASPIC / JAAS or apply a Security Framework? (Glassfish 3)
- High level Java security framework
- Is it safe to cache security information?
- Spring Framework, Spring Security - possible to use Spring Security without Spring Framework?