I'm looking for a secure user login/session management component for a public web app. Spring Security seems to have potential, are there any other high quality alternatives?
Conceptually this is easy and we currently have code that works fine, but I'd rather be using code that has been publicly reviewed for security flaws.
Needs:
Apache Shiro, formerly known as Ki and JSecurity before that, "is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography." It's been around for a while (first public release on 04/18/2006) and is currently in the Apache incubator. Just thought I'd mention it as an alternative to Spring Security (though I prefer Spring Security myself).
If Tomcat isn't a hard requirement, you could consider deploying your application on Sun's Glassfish server. Glassfish is the reference implementation for Java EE technologies, which includes support for security. Glassfish has a solid reputation and scores high on ease of administration.
spring security formerly acegi, is another open source option. If you are using spring, this is a great option