tags:

views:

113

answers:

3
Q: 

is spring security worth the effort

i've been looking over spring security and noticing how its a pretty big package. I'm wondering if it's worth the effort to take the time to ramp up on this.

has spring security 2.0+ saved you a large amount of time, or has it simplified your project in any way?

+2  A: 

If the alternative is no security or writing and maintaining my own, I'd rather learn Spring Security.

If I can amortize the learning curve over several projects, so much the better.

duffymo  2010-08-11 23:57:42
does this answer contain any information?
irreputable  2010-08-12 00:13:12
".... I'm wondering if it's worth the effort to take the time to ramp up on this...." - it does offer one view on this question. It's worth more than the nothing you've provided.
duffymo  2010-08-12 00:26:28
+2  A: 

I considered using it for a Spring project a couple of years back, and opted against it because it was a tremendously heavy and complex framework and the flexibility that it provides just wasn't necessary IMHO. It was (in my estimation) less effort to roll our own authentication/authorization. Don't misinterpret this as meaning that it was a trivial effort; effective security never is.

From a risk standpoint, I didn't understand it deep down after spending some time with the documentation, and decided that the complexity represented a significant risk of misconfiguration. It may be "better" than what we built, but if we didn't understand how to use and configure it properly, then it wasn't going to live up to its potential. A custom-implemented (and possibly "inferior") security module that I understand inside-out is less concerning.

Disclaimer: Spring Security was still called Acegi at the time, and the current technology may well have changed along with the name.

Greg Harman  2010-08-12 00:19:34
ACEGI did merit that conclusion, but Spring Security has undergone a significant refactoring since then. It'd be worth considering again.
duffymo  2010-08-12 00:27:47
my feelings are the same. I don't know how deep the rabbit hole is at this point. I know i need to understand something like this on a deep level to be effective and secure with it.what ever solution is chosen, it also needs to be simple enough to be understood by the junior devs on the team. Its not really secure if no one else can understand it and apply it.
bostonBob  2010-08-12 01:57:44
@Greg - the SpringSecurity "namespace" extensions in 2.x and 3.0 have *significantly* simplified configuration for simple use-cases. (They could provide more namespace hooks for complex use-cases, but that's a different kettle of fish.)
Stephen C  2010-08-12 02:11:35
@bostonBob - good point. The SpringSecurity "namespace" extensions simplify configuration, but they also make it harder to figure out exactly *actually how* the filters are configured.
Stephen C  2010-08-12 02:14:28
+6  A: 

Has spring security 2.0+ saved you a large amount of time, or has it simplified your project in any way?

For my project, yes and yes.

It very much depends on how simple or complex your security requirements are.

  • If you only need to do simple things, you can get away with only reading the small part of the SpringSecurity documentation that is relevant to your problem. Or just borrow stuff from the samples.

  • If you are doing complicated things like talking to an enterprise LDAP service or using OpenID, then using SpringSecurity is going to be much simpler that implementing things yourself staring from (non-spring) third-party libraries.

In my experience, decent website security is complicated and time-consuming, no matter how you implement it.

Stephen C  2010-08-12 01:44:05
We're using Spring Security 2.0+ for some project involving rather specific security (LDAP/X509 authentication and authorization through 3rd party Java API) and, although it did not fit our needs out of the box, its extensibility was great. With very little subclassing and some configuration we got exactly what we wanted. I think Spring Security 2.0+ is a time saver.
gpeche  2010-08-30 14:00:02

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java