When to move from Container managed security to alternatives like Apache Shiro, Spring Security?

java security jsf jaas shiro
Rajat Gupta picture Rajat Gupta · Oct 16, 2011 · Viewed 9.4k times · Source

I am trying to secure my application which is built using JSF2.0.

I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving behind container managed security. Having seen some of related questions on Stack Overflow, where I realized that container based security was more preferred by JSF developers in past. But I have also been strongly recommended to use Apache Shiro. I am novice in terms of the security issues and have no idea what may be the relevant issues & how to deal with them. Therefore I'm looking for something that handles most of the security issues through its default settings/ on its own.

In terms of my application requirements, I have a social application where users with different roles have access to different set of pages and can use different levels of functionality on those pages based on their roles.

In that case what do you think could be a good option for me to go with ?

I personally have been convinced to opt Shiro since it is easy to use and takes care of most of the things for the novice.

Answer

brcosta picture brcosta · Oct 16, 2011

What I like about Shiro is that it's really ease to setup permission based security. JAAS is heavily role based which is a granularity that ironically is more useful to consumer webapps than to enterprise apps (as we can notice from your requirements).

  • It's common for an application server to provide some services on top of JAAS, like single sign on, built in loginmodules, etc, so sometimes when permission granularity isn't a requirement, you should go for JAAS.

  • Last time I checked Shiro also didn't supported mutual ssl authentication (using digital certificates), but you probably wouldn't be using that...

  • If you use Shiro your app will probably be more portable between application servers / servlet containers (oh, the irony!), as JavaEE security configuration tends to be vendor specific for most non-trivial setups.

All in all, based on the requirements you specified:

  • Using an AppServer (GlassFish, JBoss): JAAS (ootb authc/authz, built-in loginmodules)
  • Using a Servlet Container (Jetty/Tomcat): Shiro (easier to setup and use)

Hope it helps :)

Related questions

Glassfish 3 security - Form based authentication using a JDBC Realm

I want to understand form based security and JDBC realms with glassfishV3, so i decided to create a little app that just allows to sign in and out, i followed the instructions from this book to do so. I understand …

Read More
Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to …

Read More