views:

366

answers:

3
+4  Q: 

Grails security

Which is the best security solution for grails among acegi, jsecurity and Stark security?

regards

Josh

+5  A: 

JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren't happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.

So which one to use?

Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it's still lacking in widespread adoption.

Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn't live without Spring Security's Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.

Thirdly, be sure of the actual security! Spring Security can be quaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.

To end this, if I had to choose for you, I'd pick Spring Security because it's widely used, it's quaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn't bad at all and I've used it for a while, but at the moment it's in some sort of limbo state for who knows what reason and for a security framework that's just unacceptable.

Esko
+5  A: 

Esko's answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity's model is very simple, yet very powerful.

What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.

If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.

Jean Barmash
A: 

Thanks guys for your responses. I actually tried spring security on a grails application. The grails plugin makes it quite easy to use.

regards.

Josh

Joshua Kamau
Psst, SO etiquette is that you select one of the answers as "correct" one (*green checkmark under the up/downvote counter*) after you feel like you've given one. I know, sometimes it's hard because there's so many good answers but it will help everyone in the future, especially those who don't have time to read every single word related to the question.
Esko