Using Spring Security with EJB or Spring?

Question

I wanted to build an application based on Java EE 6, but the security mechanisms of Java EE are not sufficient and a pain to with for my needs. Spring Security seems the best way to secure my application. Now I wonder if Spring Security + EJB is a good combination or if I should be better use Spring only.

I need method interception, ACLs and possibly URL pattern access control. The main problem I see is to use EJB interception with Spring Security. It is a problem? What other areas could be problematic?

Would you prefer Spring Security + EJB or Spring Security + Spring (only)?

As skaffman said the real question is Java EE vs. Spring. There is a nice comparison from JBoss.

Answer 1

I am not very familiar with EJB but my understanding has always been that it is essentially a data-access technology, or a way to distribute services.

Spring itself, and the Spring Security module, is designed to be very lightweight and unobtrusive. If you are building a web application and using Spring Security for logins/security, then it doesn't care or even know if you are using EJB vs JDBC vs remoting technologies etc.

Answer 2

Spring Security is distinct from the Spring Framework. They work well together, but Spring Security does not require you to use the Spring Framework underneath.

So in a very real sense, it doesn't matter, it becomes a question of whether you prefer EJB3 or Spring, regardless of Spring Security.