Reputation: 325
Apache Shiro versus Spring Security
We have an existing Jetty Application using Shiro that we are moving to Spring Boot, and were wondering which is more straightforward to integrate with our Spring Application, Apache Shiro or Spring Security? We're looking into implementing OAuth2 soon, and we were recommended Spring Security since we were moving this to Spring Boot. Does anyone have any input they could give us?
Upvotes: 1
Views: 1409
Answers (2)
Reputation: 129
If you have a rather small application with not too many users and roles and don’t need to use any overly advanced features, feel free to use Java EE Security. It provides a solid base just for that. Java EE Security possibilities are quickly exhausted though. For example, you can specify only one authentication mechanism for the whole application. Also, if the application needs to be portable, one should definitely use one of the other two frameworks.
Now if there is need for a largely independent, lightweight and extensible security solution, Apache Shiro is the way to go. The downside, however, is that it might take some time to overcome problems. One might also have to implement some features by themselves. Shiro’s design (interface-driven and POJO-based) facilitates this, however.
At last, if the application is already Spring-based, one might as well stay on the train and use Spring Security, there aren’t any real downsides in this case (beside Spring Security being somewhat harder to implement). This is different for spring-less applications, even more if one never has worked with Spring before. Implementation of advanced features is even harder at first and annotations cannot be used unless Spring itself or AspectJ are included. Also, if there is need for Spring OAuth2, one must use spring-mvc, instead of Jersey or RESTeasy, to create REST resources.
With this, our comparison comes to an end. Again, a small reminder about the relativity of our observation. Experiment with the frameworks by yourself and use the one that suits your needs best.
Upvotes: 0
Reputation: 6786
As you already have Apache Shiro as your security framework. It would be wise to let it be as is. Shiro easily integrates with spring and works with OAuth2 (https://github.com/zhangkaitao/shiro-example/blob/master/shiro-example-chapter17-client/src/main/java/com/github/zhangkaitao/shiro/chapter18/oauth2/OAuth2Realm.java). In case you swith to spring security you will have to reconsider everything again and a large changeset.
Upvotes: 0
Related Questions
- Shiro or Spring Security with Ninja framework or Spark
- JAAS, Spring Security or Apache Shiro
- Spring cloud security vs Spring security
- SpringBoot with Jetty Vs Core Java with OSGI Jetty
- What are the differences between spring security providers? (Spring Roo 2 M3)
- When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
- Apache Shiro + Spring MVC
- Spring Boot with Apache Shiro
- Where does Apache Shiro belongs in a tech stack?
- Apache Shiro vs Java EE native APIs