tags:

views:

96

answers:

3
Q: 

Authentication and Authorization Framework for Java Web-Application

H folks,

I am programming a Web-Application with JEE, JSF and Hibernate. I do not use Spring or EJB! Now I am at the point where to implement authentication and authorization. I need to access an Active Directory or LDAP. And I want to implement my own roles, that are not retrieved from the AD/LDAP.

My Question is: What's the easiest way to implement that? Should I use a framework like JAAS/Apache Shiro? And which one is best for my intetions?

About the little role concept: I planned to set up a property-file, where I can configure the roles. I have only few roles, so a big concept is not that necessary?!

I am very glad of any recommendation or suggestion.

Thank you!

+2  A: 

Whether you use the spring container for your application or not (you should :-)), Spring Security is the single most versatile auth / auth provider there is. Here is a brief overview of what it can do.

(You can use spring security even if you don't use spring for the rest of your app)

seanizer  2010-07-28 08:55:14
Just to be explicit: Can it authenticate a user against Active Directory from a non-Windows box?
Thorbjørn Ravn Andersen  2010-07-28 09:04:26
SpringSecurity does LDAP. I don't know about Active Directory though.
Stephen C  2010-07-28 09:23:32
+1  A: 

I studied a little bit and I like Apache Shiro. The problem I have there are no good tutorials or howto's...

Here's a little example how easy Shiro works: link

Sven  2010-07-30 07:42:20
+1  A: 

It is definitely not true that "Spring Security is the single most versatile auth / auth provider there is" - that's just unfounded hype.

Apache Shiro can handle more use cases than Spring Security, if only because SS doesn't support enterprise session management or have simplified cryptography out of the box (Shiro does). Shiro also supports a much finer-grained security model out of the box (e.g. Shiro's WildcardPermission). Shiro also does LDAP and Active Directory. Also note that Shiro was built from day one with architectural foundations to work in any application environment, not just Spring applications (but it excels in Spring apps for sure). The same can not be said of Spring Security (it was indeed built initially for only Spring applications).

As far as a small number of users and/or roles, you can easily do that in the shiro.ini file. For example:

[main]
...
[users]
jsmith = password, role1
ajones = anotherPassword, role1, role2

[roles]
role1 = perm1, perm2, ..., permN
role2 = permA, permB, ..., permZ

At the end of the day, both Apache Shiro and Spring Security are great frameworks - both stand well on their own merits. Your choice should be based on which one fits your mental model better (which interfaces and class names make more sense? Which is easier for you to understand and use?)

Cheers,

Les

Les Hazlewood  2010-08-10 17:25:32
Like I mentioned a lot: Shiro is really easy but you have to find out by your own unless some people are going to write some tutorials and I don't want to see bruce phillips tutorials they are more confusing than helping. Hope somebody will do this so that shiro can become more popular...
Sven  2010-08-11 07:03:43

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java