Authentication and Authorization Framework for Java Web-Application [closed]

Question

I am programming a Web-Application with Java EE, JSF and Hibernate. I do not use Spring or EJB! Now I am at the point where to implement authentication and authorization. I need to access an Active Directory or LDAP. And I want to implement my own roles, that are not retrieved from the AD/LDAP.

My Question is: What's the easiest way to implement that? Should I use a framework like JAAS/Apache Shiro? And which one is best for my intetions?

About the little role concept: I planned to set up a property-file, where I can configure the roles. I have only few roles, so a big concept is not that necessary?!

I am very glad of any recommendation or suggestion.

Answer 1

It is definitely not true that "Spring Security is the single most versatile auth / auth provider there is" - that's just unfounded hype.

Apache Shiro can handle more use cases than Spring Security, if only because SS doesn't support enterprise session management or have simplified cryptography out of the box (Shiro does). Shiro also supports a much finer-grained security model out of the box (e.g. Shiro's WildcardPermission). Shiro also does LDAP and Active Directory. Also note that Shiro was built from day one with architectural foundations to work in any application environment, not just Spring applications (but it excels in Spring apps for sure). The same can not be said of Spring Security (it was indeed built initially for only Spring applications).

As far as a small number of users and/or roles, you can easily do that in the shiro.ini file. For example:

[main]
...
[users]
jsmith = password, role1
ajones = anotherPassword, role1, role2

[roles]
role1 = perm1, perm2, ..., permN
role2 = permA, permB, ..., permZ

At the end of the day, both Apache Shiro and Spring Security are great frameworks - both stand well on their own merits. Your choice should be based on which one fits your mental model better (which interfaces and class names make more sense? Which is easier for you to understand and use?)

Cheers,

Les

Answer 2

I studied a little bit and I like Apache Shiro. The problem I have there are no good tutorials or howto's...

Here's a little example how easy Shiro works: link

Answer 3

Whether you use the spring container for your application or not (you should :-)), Spring Security is the single most versatile auth / auth provider there is. Here is a brief overview of what it can do.

(You can use spring security even if you don't use spring for the rest of your app)