Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is Apache Shiro correct choice for my case?

Tags:

java

authentication

authorization

shiro

I'm trying to implement a modular authentication/authorization app. I was wondering if Shiro is the correct choice. What I want to get is to have a system to which I can plug in and maybe in later time exchange some authentication endpoints and also authorization endpoints. I want to be able to use shiro for authentication (for example I would implement facebook plugin for shiro, or ldap plugin for shiro and I can easly plug it into my authentication/authorization app). I also may want to have authorization implemented using different framework than shiro.

I was wondering if shiro with it's custom session and it's subjects and realms is capable of doing such things as I described ? Currently I see Shiro as very dynamic framework, which allows to do such things, but I might be wrong because I never use earlier. Custom authentication modules (imo) might be plugged in as new realms, but I'm not sure if this will work with authorization?

I also don't understand how shiro roles and permission system may be used when I want to setup restrictions to web application, for example I want to give restrictions to the given url / group of urls. I think that the only way to implement that is to create a custom mapper which will map given role to permissions. For example in some database I will have all urls, and in separate table I will have list of roles. Then I will add to every role a group of URLs. I don't see how could I use shiro permission system to implement URL restrictions.

Please tell me if shiro is a good choice, or maybe I should go into other framework (spring security maybe?)

like image 572
Ma Kro Avatar asked Oct 20 '22 21:10

Ma Kro

1 Answers

I find myself in your position now, I have to choose between Shiro and Spring Security.

I was able to implement what have you described with both tools but from what I have learned so far is that SS has a more loose coupled architecture thus more extensible to your specific needs and easier to customize.

One reason behind my opinion is that implementing certain feature I need, access policy for a role, was much easier using SS.

So between Shiro, SS, Heras, OACC, OWASP... Shiro is a second solution and SS would be the first.

like image 62
aurelius Avatar answered Oct 26 '22 23:10

aurelius
Sign in to Comment

Related questions

Read from InputStream using read vs. IOUtils.copy
Java Generics: Cannot create an array of a nested class
Find websocket session by id in Java EE 7
How to customize property name in JAXB?
Application icon doesn't show up in Android action bar
How to switch Hibernate from jboss-logging to logback?
Appending One File to Another in Java - Why Does My Code Overwrite?
Implement A Spring Batch Progress Bar - Get total row count on Job Execution
Does not Java create heapdump when native allocation fails
Storing log file in AWS S3 from Spring boot application
Lower bounded wildcard
How to set database password in sqlite JDBC?
How do I call a Clojure function that takes a two-dimensional array of Strings from Java?
The executable generated by install4j doesnt start
NoSuchMethodException while calling GeometryJSON().read()
Wait for user input while debugging on IntelliJ IDEA and Gradle
How to use jmeter 3.2 with jmeter-maven-plugin?
Calculation of intersections between line segments
How to access role in JSP using spring security?
how to use the InputSupplier or OutputSupplier api of Guava?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!