Learn Spring Security: best security tech?

Hello Mr. Paraschiv,

I'm about to start a new project which involves developing a web app with java technologies. This app has to achieve, among other different things, the authentication of users (register and login). Technologies I'm planning to use are the spark framework, freemarker template engine, mongodb, spring framework for dependency injection and a framework (still not decided which one) for security issues and authentication of users.

The options, at a first glance, are JAAS, Spring Security or Apache Shiro, or maybe another one I'm not aware of.

I would like to know your opinion about which security technology is best to use in my project, and as I guess you will say Spring Security, what are then its advantages in comparison with those other ones I've mentioned.

Thanks for your time and advise.

Hey Oriol,
That's an interesting stack.
So, in the Java ecosystem (I assume that's what you're looking at), there are o few solutions to handling security - definitely.
Of course my personal preference is for Spring Security (that's why I'm building a course on it), but I have used all three.
Generally speaking it's also the only one that's actually well maintained and kept up to date with what's happening in the real world. For example, Apache Shiro had its last minor release in 2013 and it's last actual release at the beginning of 2012.
And JAAS - well, that's tied to the Java EE ecosystem for the most part, and so the progress on it isn't great either.
So, I'd say, yes - go for Spring Security.
Hope that helps. Cheers,
Eugen.

Following on the recommendation of Spring Security over Shiro (since Shiro hasn't been changed since 2013)...

Does Spring Security work well as an authorization provider if you already have a corporate standard for authentication.
In my case, we have to use an API for a "global login" for users to access our app, but there's no standard for authorization.
It's up to the individual app to decide what any given user can see (for example, the authentication provider returns a user's
management level, but doesn't say "Hey, Application X, you should only allow these functions for this user).

Does your course cover this scenario of "working and playing well with others"???

The framework needs to integrate with the common authorization provider - presumably to get a list of authorizations/permissions (yes, that's supported). Once that's done, it's entirely up to the applicaiton how much access the user will have of course. The principal will have that set of permissions, and the application will determine what that means in terms of access.
Generally speaking, Spring itself was designed to "play well" with other frameworks. The main reason was that Spring wasn't as dominant as it is today back then - and that mean it had to really focus on interoperability and integration. And that stuck in the design of the framework, so that generally works well.
Of course it does depend on how far you need to stretch the framework.

Eugen Paraschiv wrote:Apache Shiro had its last minor release in 2013

Shiro had releases in 2014 and 2015: http://mvnrepository.com/artifact/org.apache.shiro/shiro-core

That's a good point - their news site is missing an update (1.2.3).
However, all of these are not even minor updates, but patch updates (the last one for instances fixes 5 small bugs) - so the point still stands - they're pretty much standing still.
And don't get me wrong - it would be great to see some real movement in Shiro or any of the other security solutions in the Java space - as that would benefit the entire ecosystem. But - the reality is that it's simply not the case right now.
Cheers,
Eugen.

I want to thank to all of you. I've been very busy this week and after reading your opinions and some other sources I'm decided to use Spring security in my project.
Now, I have to update or improve my knowledge about Spring framework. The video tutorials from Mr. Paraschiv are a very good option. Thanks.

However, all of these are not even minor updates, but patch updates (the last one for instances fixes 5 small bugs) - so the point still stands - they're pretty much standing still.

Regarding Apache Shiro, since we had this conversation, the speed of development seems to have picked up once again, with several bug fix release and one feature release (1.3) having happened since then, and apparently another feature feature release (1.4) in the release candidate stage. So there is progress after all.

I definitely did pick up: https://github.com/apache/shiro/graphs/contributors
So that's very cool.
That being said, I'm personally going to let it sit for a while before looking at it again.
Looking at that graph - I'm a bit hesitant to really build any production logic with a library that's developed on and off. However, if it's going to be stable for a while - that's going to change.

Cheers,
Eugen.

That graph is indeed interesting. 2019 is shaping up to be an active year (release of 1.4.1, and a fair amount of work towards 1.5), but I concur that the on/off nature is a bit of turn-off. I think my attitude would be: if 1.4.1 does what you need, by all means, use it. But using it while waiting for fixes or new features is a bit of an iffy proposition, given the irregular release cycle.