JAAS, Spring Security or Apache Shiro

user1094865 picture user1094865 · Jan 4, 2016 · Viewed 9k times · Source

Just a quick question regarding security frameworks in java.

To date JAAS has always been my go to framework. Yes people complain that it is very difficult to setup and it requires hooks into your underlying system but it does it's job and has the added bonus of being a specification.

That said I have been researching other security frameworks in Java lately and the two that seem to be getting the most attention online are :

1 - Spring Security

Spring Security seems to be insanely popular but I found it a bit convoluted to work with.

2 - Apache Shiro

Apache Shiro seems to be more straight forward than Spring Security, however it seems to lack some documentation.

So my question is, of the frameworks mentioned above do people think I should spend time learning Spring Security or Apache Shiro?

(Or should I just stick with JAAS?)

Answer

Wouter picture Wouter · Jan 5, 2016

Shiro is great if you want to use it in a mixture of web/non-web environments. It is highly customizable. We use it to do multi-tennant authorization and we also have some custom permission requirements we have implemented using shiro.

You can also create spring beans from almost every class in shiro as the code is setup very cleanly and is very usable with spring injection (or any other dependency injection framework I guess).

As dev mentions, the documentation is lacking. We did a lot of reading the source code to get our fixes, so if you want to do more advanced configuration, be aware that you'll have to dive into the source.

For simple setups, the standard documentation of shiro will help you in most cases.

Imho spring security is fine, but it doesnt have the flexibility shiro provides.