When to move from Container managed security to alternatives like Apache Shiro, Spring Security?

by

What I like about Shiro is that it’s really ease to setup permission based security. JAAS is heavily role based which is a granularity that ironically is more useful to consumer webapps than to enterprise apps (as we can notice from your requirements).

  • It’s common for an application server to provide some services on top of JAAS, like single sign on, built in loginmodules, etc, so sometimes when permission granularity isn’t a requirement, you should go for JAAS.

  • Last time I checked Shiro also didn’t supported mutual ssl authentication (using digital certificates), but you probably wouldn’t be using that…

  • If you use Shiro your app will probably be more portable between application servers / servlet containers (oh, the irony!), as JavaEE security configuration tends to be vendor specific for most non-trivial setups.

All in all, based on the requirements you specified:

  • Using an AppServer (GlassFish, JBoss): JAAS (ootb authc/authz, built-in loginmodules)
  • Using a Servlet Container (Jetty/Tomcat): Shiro (easier to setup and use)

Hope it helps 🙂

More Related Contents:

  1. How to implement a possibility for user to post some html-formatted data in a safe way?
  2. JAAS for human beings
  3. Why is char[] preferred over String for passwords?
  4. PreparedStatement IN clause alternatives?
  5. What components are MVC in JSF MVC framework?
  6. How to retrieve a file from a server via SFTP?
  7. Encrypt Password in Configuration Files? [closed]
  8. How to deal with a slow SecureRandom generator?
  9. Allowing Java to use an untrusted certificate for SSL/HTTPS connection
  10. Difference between java.util.Random and java.security.SecureRandom
  11. Execute managebean method from javascript onload event
  12. How do I create a Java sandbox?
  13. JSF 2.0 set locale throughout session from browser and programmatically [duplicate]
  14. How can i programmatically upload a file to a website?
  15. JSF 2: How show different ajax status in same input?
  16. How can I show/hide component with JSF?
  17. what is none scope bean and when to use it?
  18. Unit testing with Spring Security
  19. How can I construct a java.security.PublicKey object from a base64 encoded string?
  20. Disable Java reflection for the current thread
  21. Where is Visual Web Editor for JavaServer Faces on Netbeans
  22. How do you configure HttpOnly cookies in tomcat / java webapps?
  23. Prevent XXE Attack with JAXB
  24. Application vulnerability due to Non Random Hash Functions
  25. Concatenate strings in JSF/JSP EL and Javascript [duplicate]
  26. Recursion in JSF (c:forEach vs. ui:repeat)
  27. How to hash a password with SHA-512 in Java?
  28. Using Apache httpclient for https
  29. How to obtain the location of cacerts of the default java installation?
  30. What is the best practice for securely storing passwords in Java

Leave a Comment