What I like about Shiro is that it’s really ease to setup permission based security. JAAS is heavily role based which is a granularity that ironically is more useful to consumer webapps than to enterprise apps (as we can notice from your requirements).
-
It’s common for an application server to provide some services on top of JAAS, like single sign on, built in loginmodules, etc, so sometimes when permission granularity isn’t a requirement, you should go for JAAS.
-
Last time I checked Shiro also didn’t supported mutual ssl authentication (using digital certificates), but you probably wouldn’t be using that…
-
If you use Shiro your app will probably be more portable between application servers / servlet containers (oh, the irony!), as JavaEE security configuration tends to be vendor specific for most non-trivial setups.
All in all, based on the requirements you specified:
- Using an AppServer (GlassFish, JBoss): JAAS (ootb authc/authz, built-in loginmodules)
- Using a Servlet Container (Jetty/Tomcat): Shiro (easier to setup and use)
Hope it helps 🙂