Reputation: 51
What are disadvantages of JAAS in comparison to Spring Security/Apache Shiro?
I've been looking at several frameworks that handle authentication and authorization (Apache Shiro, Spring Security, JAAS, Apache Wicket) and am wondering about the disadvantages of JAAS.
I've been reading that it is more complicated and only provides basic security, but I don't quite understand what that means. Also, I've heard to not use it if the application needs to be ported to another system - why is that?
Upvotes: 0
Views: 526
Answers (1)
Reputation: 310985
'It provides only basic security' is nonsense. JAAS is a framework within which you can write whatever you need, so it therefore can provide whatever you want it to provide, from simple authentication to any level of role-based authorization, in association with Container Managed Authentication, which IMHO is the only sane way to manage web-app security.
The JAAS programming model I find a little odd, kind of inside-out, but you can do very powerful things with it: for example I built a webapp that would accept a login via either form, session ticket, expiring auto-login token (e.g. for password reset), or client SSL certificate, and in fact it is ideal for scenarios like this.
Upvotes: 0
Related Questions
- JAAS, Spring Security or Apache Shiro
- What is the difference between JAAS and JAAP?
- When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
- High level Java security framework
- Is Spring Security JAAS-based?
- What are pros and cons of using Spring in Swing based frontend
- what Spring Security make it worth to use?
- "Spring Security" and "Java Authentication and Authorization Service(jaas)"
- Advantages of SCA over Spring?
- Why to use Spring not JSF (Advantages of spring over JSF)?