Web Application - Authentication / Login Framework [closed]

Question

This is a very simple, probably a most asked question and frequently developed as part of any web application. Say I'm planning to build a web application and some of the functional requirements include (apart from the usual hard hitting security reqs), - Need to have users sign up for a new account profile - Authenticate user using the native app authentication / Facebook or Google or Yahoo or OpenId login - Allow lost password retrieval - Session handling needs

Is there an out of the box frameworks (Drupal, Liferay, Tapestry with Tynamo, Wicket ??) that I can use to wrap my application which can be a bunch of JSP's or HTML's with JS? I know I'm asking a very simple and maybe a naive question. But this is a topic every web developer guru will go thru. Any help, advise and pointers much appreciated.

Answer 1

I'd recommend taking a look at Apache Shiro: http://shiro.apache.org/

It handles the security portion of your application and gives you a great deal of flexibility in how to secure things. For example, you can add an annotation to secure individual methods (for example: you can't run this method unless you are an admin), individual pages (for example: you can't load this page unless you are an admin), and URL patterns (you must be admin to access anything containing /admin/* in the url).

Give how complex it can be do to security right, Shiro is very simple to use. It may take just a bit to get your head around some of the concepts initially, but Shiro does a very good job of hiding as much of the complexity as possible. Also the user list is very responsive and extremely helpful.

If you use Tapestry, you might look at http://tynamo.org/tapestry-security+guide It makes it very easy to get Shiro up and running in a Tapestry application and gives you some easy to use tags to use in your templates.

Shiro isn't going to give you OpenID, OAuth or Facebook integration out of the box, but chances are high you will need to customize that part to your application. I believe there is some work being done to help integrate functions that will help enable these types of authentication into the framework.

Some of the frameworks that build on Shiro may offer more of what you are looking for. For example, http://tynamo.org/tynamo-federatedaccounts+guide will give you more support for federated logins in a tapestry application. It is still in the early stages, but might be working looking at if you are using Tapestry. Even if it doesn't do exactly what you need, it might provide some good examples to look at.

You also might be interested in: http://static.springsource.org/spring-security/site/

As a side note: In addition to security there are probably a bunch of other technologies that you will need in a typical web project. You may need security, persistence, basic user management, etc. If you create many web applications, it might be worth creating a maven archetype that lets you quickly get a new basic application up and running so you can start coding with all the initial structure already in place. AppFuse tries to do this, but it aims more at allowing you many different choices when it comes to web frameworks. If you know what technology you are going to use, having a startup app that is customized for your needs can be a huge timesaver.