Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is spring security worth the effort

Tags:

java

spring

spring-security

i've been looking over spring security and noticing how its a pretty big package. I'm wondering if it's worth the effort to take the time to ramp up on this.

has spring security 2.0+ saved you a large amount of time, or has it simplified your project in any way?

like image 942
clarson Avatar asked Mar 19 '26 05:03

clarson

2 Answers

I considered using it for a Spring project a couple of years back, and opted against it because it was a tremendously heavy and complex framework and the flexibility that it provides just wasn't necessary IMHO. It was (in my estimation) less effort to roll our own authentication/authorization. Don't misinterpret this as meaning that it was a trivial effort; effective security never is.

From a risk standpoint, I didn't understand it deep down after spending some time with the documentation, and decided that the complexity represented a significant risk of misconfiguration. It may be "better" than what we built, but if we didn't understand how to use and configure it properly, then it wasn't going to live up to its potential. A custom-implemented (and possibly "inferior") security module that I understand inside-out is less concerning.

Disclaimer: Spring Security was still called Acegi at the time, and the current technology may well have changed along with the name.

like image 101
G__ Avatar answered Mar 20 '26 19:03

G__

Has spring security 2.0+ saved you a large amount of time, or has it simplified your project in any way?

For my project, yes and yes.

It very much depends on how simple or complex your security requirements are.

  • If you only need to do simple things, you can get away with only reading the small part of the SpringSecurity documentation that is relevant to your problem. Or just borrow stuff from the samples.

  • If you are doing complicated things like talking to an enterprise LDAP service or using OpenID, then using SpringSecurity is going to be much simpler that implementing things yourself starting from (non-spring) third-party libraries.

In my experience, decent website security is complicated and time-consuming, no matter how you implement it.

like image 36
Stephen C Avatar answered Mar 20 '26 20:03

Stephen C
Sign in to Comment

Related questions

Can't update sound programmatically for Notification Channel on Android Oreo

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!