As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Which is the best security solution for grails among acegi, jsecurity and Stark security?
JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren t happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.
So which one to use?
Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it s still lacking in widespread adoption.
Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn t live without Spring Security s Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.
Thirdly, be sure of the actual security! Spring Security can be guaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.
To end this, if I had to choose for you, I would pick Spring Security because it s widely used, it s guaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn t bad at all and I ve used it for a while, but at the moment it s in some sort of limbo state for who knows what reason and for a security framework that s just unacceptable.
Edit: It s been over 1½ years since I answered this, so I felt the need to come back and say that our company recently decided to go with Spring Security due to its high pluggability and its proven functionality. This of course makes me a bit biased but in any case, I d say that Spring Security is the way to go.
Esko s answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity s model is very simple, yet very powerful.
What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.
If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.
I ve used both frameworks and love the way Shiro works in comparison to Spring s approach. I don t know why Spring Security is so popular. Unlike Shiro, Spring Security runs wild throughout the application whenever configuration is needed. Isn t security a cross-cutting concern for most applications? If so, wouldn t it be "cleaner code" to isolate it to a single location? My two cents.
Thanks guys for your responses. I actually tried spring security on a grails application. The grails plugin makes it quite easy to use.
regards.
Josh
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...
