Login/Register
When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
Asked Answered
Solved javasecurityjsfjaasshiro
B

3

19

I am trying to secure my application which is built using JSF2.0.

I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving behind container managed security. Having seen some of related questions on Stack Overflow, where I realized that container based security was more preferred by JSF developers in past. But I have also been strongly recommended to use Apache Shiro. I am novice in terms of the security issues and have no idea what may be the relevant issues & how to deal with them. Therefore I'm looking for something that handles most of the security issues through its default settings/ on its own.

In terms of my application requirements, I have a social application where users with different roles have access to different set of pages and can use different levels of functionality on those pages based on their roles.

In that case what do you think could be a good option for me to go with ?

I personally have been convinced to opt Shiro since it is easy to use and takes care of most of the things for the novice.

Bidle answered 16/10, 2011 at 6:17 Comment(6)
Who strongly recommended it and what reasons did they give?Electrolyte
reasons were: "with shiro it is quite easy to configure security, shiro takes care of most of the issues through its default settings, , existing Java security mechanisms like JAAS are too confusing etc etc. and it is more suitable for a novices like me who dont know much about security issues"Bidle
Good, so assuming all that is true, what exactly is your question?Electrolyte
Thanks! I wanted to know: 1.) whether this really hold true according to you all ? 2.) in what cases people consider moving from container managed security to other solutions like Spring security/shiro 3.) any disadvantages to migrating to alternatives like shiro for a JSF app?Bidle
'It' being what? Shiro? JAAS? CMA?Electrolyte
This old question would be closed as primarily opinion based these days. However, this would be a good duplicate as it's very objective on the matter: stackoverflow.com/questions/9965708/… user01, is this acceptable as dupe?Idell
E
4

I know exactly nothing about Apache Shiro except as follows, but what you have quoted comes practically verbatim from their Web page, which contains several mis-statements such as '[JAAS] required static definitions that only programmers could change', and 'JAAS is tied too heavily tied to virtual machine-level concerns', and the implication that JAAS isn't about users and roles, which is simply false. I would want a lot of convincing to move away from container managed security. It's part of the Servlet Specification, so it has to be supported by any container; it's well understood; it is supported by JDK classes with no 3rd parties; ... and it works for me ;-)

Electrolyte answered 16/10, 2011 at 9:29 Comment(8)
but from what I have heard, container managed security doesn't cover everything that can fulfill a web app 's demand for security and it is not very easy for novices(in web security domain), to configure ? I guess these are the limitations/ disadvantages of the same!?Bidle
@Marcos, that's right, you're guessing. I would start by defining your actual requirements and then seeing which systems can support them. At the moment you're just reiterating the advertising.Electrolyte
may be.. but i just intended to hear the opinion of experts about this before i had started with anything particular.Bidle
@EJB regarding your comment, "it's well understood": In my experience, nothing can be further from the truth. Every time I present Shiro around the country, I ask the audience "How many people here use JAAS?". On average - and this isn't an exaggeration - around 5 people out of 100 raise their hand. Yes, that's right, 5%. When asked a follow up question, "How many like it?" Those 5 always put their hands down. Not one hand stays up. Shiro is way easier to use than JAAS. Before you write off a solution, which you say you know nothing of, I'd recommend trying it out first :)Timberhead
@LesHazlewood I don't see where I have written anything off. What I have done is expressed some reasonable scepticism about a system that markets itself with false claims.Electrolyte
@EJB You made a judgement about whether or not the OP should use Shiro 'without knowing exactly nothing about Apache Shiro'. And the claims are not false: Java security policy files are static and require programmers to change them, ProtectionDomain and CodeSource are very VM-specific concerns. And no implication was made about users/roles - just that the way JAAS supports them are hard to use compared to Shiro. Cheers!Timberhead
@LesHazlewood You continue to put words into my mouth. I expressed no judgment about the OP and Shiro whatsoever. I made a statement about me wanting 'a lot of convincing to move away from container managed security', which is something I evidently know a lot more about than is expressed in the Shiro citation. I stand by it.Electrolyte
@LesHazlewood The problem is that JAAS is not the general security framework in Java EE. In fact, JAAS is hardly being mentioned in the Java EE spec. Only JASPIC defines a bridge profile, where JAAS is used for nothing more than a mere user/roles provider.Schrock
M
17

What I like about Shiro is that it's really ease to setup permission based security. JAAS is heavily role based which is a granularity that ironically is more useful to consumer webapps than to enterprise apps (as we can notice from your requirements).

  • It's common for an application server to provide some services on top of JAAS, like single sign on, built in loginmodules, etc, so sometimes when permission granularity isn't a requirement, you should go for JAAS.

  • Last time I checked Shiro also didn't supported mutual ssl authentication (using digital certificates), but you probably wouldn't be using that...

  • If you use Shiro your app will probably be more portable between application servers / servlet containers (oh, the irony!), as JavaEE security configuration tends to be vendor specific for most non-trivial setups.

All in all, based on the requirements you specified:

  • Using an AppServer (GlassFish, JBoss): JAAS (ootb authc/authz, built-in loginmodules)
  • Using a Servlet Container (Jetty/Tomcat): Shiro (easier to setup and use)

Hope it helps :)

Moorhead answered 16/10, 2011 at 6:17 Comment(0)
E
4

I know exactly nothing about Apache Shiro except as follows, but what you have quoted comes practically verbatim from their Web page, which contains several mis-statements such as '[JAAS] required static definitions that only programmers could change', and 'JAAS is tied too heavily tied to virtual machine-level concerns', and the implication that JAAS isn't about users and roles, which is simply false. I would want a lot of convincing to move away from container managed security. It's part of the Servlet Specification, so it has to be supported by any container; it's well understood; it is supported by JDK classes with no 3rd parties; ... and it works for me ;-)

Electrolyte answered 16/10, 2011 at 9:29 Comment(8)
but from what I have heard, container managed security doesn't cover everything that can fulfill a web app 's demand for security and it is not very easy for novices(in web security domain), to configure ? I guess these are the limitations/ disadvantages of the same!?Bidle
@Marcos, that's right, you're guessing. I would start by defining your actual requirements and then seeing which systems can support them. At the moment you're just reiterating the advertising.Electrolyte
may be.. but i just intended to hear the opinion of experts about this before i had started with anything particular.Bidle
@EJB regarding your comment, "it's well understood": In my experience, nothing can be further from the truth. Every time I present Shiro around the country, I ask the audience "How many people here use JAAS?". On average - and this isn't an exaggeration - around 5 people out of 100 raise their hand. Yes, that's right, 5%. When asked a follow up question, "How many like it?" Those 5 always put their hands down. Not one hand stays up. Shiro is way easier to use than JAAS. Before you write off a solution, which you say you know nothing of, I'd recommend trying it out first :)Timberhead
@LesHazlewood I don't see where I have written anything off. What I have done is expressed some reasonable scepticism about a system that markets itself with false claims.Electrolyte
@EJB You made a judgement about whether or not the OP should use Shiro 'without knowing exactly nothing about Apache Shiro'. And the claims are not false: Java security policy files are static and require programmers to change them, ProtectionDomain and CodeSource are very VM-specific concerns. And no implication was made about users/roles - just that the way JAAS supports them are hard to use compared to Shiro. Cheers!Timberhead
@LesHazlewood You continue to put words into my mouth. I expressed no judgment about the OP and Shiro whatsoever. I made a statement about me wanting 'a lot of convincing to move away from container managed security', which is something I evidently know a lot more about than is expressed in the Shiro citation. I stand by it.Electrolyte
@LesHazlewood The problem is that JAAS is not the general security framework in Java EE. In fact, JAAS is hardly being mentioned in the Java EE spec. Only JASPIC defines a bridge profile, where JAAS is used for nothing more than a mere user/roles provider.Schrock
A
2

I have decided that SpringSecurity (SS) is going to be our Authentication and Authorization framework. Mainly because SS does OpenID and OAuth. I will have to customize it though for the permissions/group/user/entity system quite a bit. I plan on doing authorization at the 'EntityManager/Entity' level, Service Level, and the Web/API levels. "Lock the door, but have your jewels in a 3 ton safe in the back room" A lot of the last half Shiro handles MUCH better. But I don't fell as comfortable trying to integrate openid4j/openauth4j into Shiro.

It would be REALLY nice to pick and choose the features of both, without any interference or code bloat. THAT's the best choice.

PS, Spring brings a lot of other things to the plate, also, like integration with JSF, so it has a lot of appeal.

Ardehs answered 28/12, 2012 at 2:52 Comment(1)
Yes, the unifying interface for onLogin, onLogout, onCSRF, onHttpBasic and other events for security providing features with additional specific implementation of SecurityProvider parameter, such as JAAS, CMA, Shiro, Spring Security and others could be existed somewhere for your nice idea and I did not find it yet.Embed

© 2022 - 2024 — McMap. All rights reserved.