Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Apache Shiro correct choice for my case?

I'm trying to implement a modular authentication/authorization app. I was wondering if Shiro is the correct choice. What I want to get is to have a system to which I can plug in and maybe in later time exchange some authentication endpoints and also authorization endpoints. I want to be able to use shiro for authentication (for example I would implement facebook plugin for shiro, or ldap plugin for shiro and I can easly plug it into my authentication/authorization app). I also may want to have authorization implemented using different framework than shiro.

I was wondering if shiro with it's custom session and it's subjects and realms is capable of doing such things as I described ? Currently I see Shiro as very dynamic framework, which allows to do such things, but I might be wrong because I never use earlier. Custom authentication modules (imo) might be plugged in as new realms, but I'm not sure if this will work with authorization?

I also don't understand how shiro roles and permission system may be used when I want to setup restrictions to web application, for example I want to give restrictions to the given url / group of urls. I think that the only way to implement that is to create a custom mapper which will map given role to permissions. For example in some database I will have all urls, and in separate table I will have list of roles. Then I will add to every role a group of URLs. I don't see how could I use shiro permission system to implement URL restrictions.

Please tell me if shiro is a good choice, or maybe I should go into other framework (spring security maybe?)

like image 572
Ma Kro Avatar asked Oct 20 '22 21:10

Ma Kro


1 Answers

I find myself in your position now, I have to choose between Shiro and Spring Security.

I was able to implement what have you described with both tools but from what I have learned so far is that SS has a more loose coupled architecture thus more extensible to your specific needs and easier to customize.

One reason behind my opinion is that implementing certain feature I need, access policy for a role, was much easier using SS.

So between Shiro, SS, Heras, OACC, OWASP... Shiro is a second solution and SS would be the first.

like image 62
aurelius Avatar answered Oct 26 '22 23:10

aurelius