Grails AcegiSecurity vs. JSecurity plugins

25 views
Skip to first unread message

Hamlet D'Arcy

unread,
Jan 16, 2008, 9:29:32 PM1/16/08
to Groovy Users of Minnesota
Gang,

Believe it or not, I am actually doing paid Grails work. Huzzah.

The Definitive Guide to Grails contains steps on enabling Acegi
security, so I went to download the plugin and found there was also a
JSecurity plugin.

Acegi certainly looks more complicated to setup...

Does anyone have experience with either of these? Recommendations?

Thanks, Hamlet

Ted Naleid

unread,
Jan 16, 2008, 10:17:02 PM1/16/08
to groo...@googlegroups.com
Congratulations on the grails gig. It's nice to hear that it's more
than just Refactr and Carol using it in the area :).

We're using the grails acegi plugin. Another dev did the majority of
the work on it so I can't speak too much about the level of complexity
other than the fact that it hasn't seemed to get in my way, which is a
good thing.

Our system is fairly complex (end users, in house administrators, and
external client administrators) and we also wanted the ability to use
it with our LDAP server for administration and authentication of the
admin level users. Seems to be working well so far.

I haven't used JSecurity, but if your security requirements are pretty
light it might be worth some investigation if you think it might be
easier than acegi.

-Ted

Michael Hugo

unread,
Jan 17, 2008, 12:26:41 AM1/17/08
to groo...@googlegroups.com
I also have used Acegi in several applications (both Grails and
otherwise), but have not used JSecurity. If you do decide to use
Acegi, I would recommend doing a grails install-templates and then
configuring Acegi manually in web.xml rather than utilizing the acegi
plugin. While the plugin is great for getting going quickly, I have
had some issues trying to extend it and decided instead to go back to
a vanilla install of acegi. This post was helpful in getting me
started: http://bbweblog.kevinhooke.com/BBWeblog/viewPost.do?entryID=803&instanceID=1&categoryID=111&action=detail

The Acegi docs are decent, and the source code (if you get that far,
yikes!) is pretty easy to follow. It's one complicated beast, but it
has worked really well for me in the past with both a basic login/
logout/remember me functionality and a complicated solution that
involved a single sign-on authentication provider.

I hope you like XML Configs :), good luck!

Mike

Les

unread,
Jan 17, 2008, 2:05:07 PM1/17/08
to Groovy Users of Minnesota
Hi All,

Just chiming in here to help shed some light on the subject.

JSecurity can be used in pretty much any environment - from the
simplest in-memory single user setup to extremely complicated multiple
data source, heterogenous system deployments. JSecurity is used in
production government applications that need to authenticate and
authorize against LDAP, RDBMS, Unix, Windows Active Directory, etc,
etc, and quite a few that need to access all these data sources
simultaneously. Security rights, roles and permissions (can user X do
Y on device Z) can be changed instantaneously, at runtime, without
requiring a user to log out and then back in again.

JSecurity also implements an integrated and transparent Session
management infrastructure that allows you to share session state
across clients (e.g. a web page and a Swing client or a C# app). This
is being used to support very flexible SSO production deployments
too. So, in many ways, JSecurity is more powerful and flexible than
Acegi (although there is not a 100% equivalent feature set yet).

But where I think JSecurity shines above all is its simplicity. It is
deceptively simple. It tries to stay out of your way whenever
possible, and we try to make configuration a very very short exercise
(no more than 5 to 10 lines in any format). It is really easy to set
up, either in code, in Spring, or in web.xml.

Anyway, I'm done rambling. I just don't want folks to think
JSecurity's simplicity in design and use implies that it is less
feature rich or less capable than Acegi, because that's certainly not
the case.

If you can wait two weeks, JSecurity 1.0 will be out (with a
quickstart guide and simple documentation) and the JSecurity Grails
plugin will be soon to follow, you'll see how config and then its use
can actually be easy to understand instead of drowning in excessive
XML :)

Here's a short code blurb to pique your curiosity (single data source
application):

Realm myRealm = new MyJdbcRealm(); //performs authentication and
authorization for a single JDBC datasource. You implement this.
//inject data source and other properties here
myRealm.init();
SecurityManager securityManager = new
DefaultSecurityManager( myRealm ); //there, your config is done!

//do some security operations:
SecurityContext currentUserSecCtx =
securityManager.getSecurityContext();
currentUserSecCtx.login( new UsernamePasswordToken( "username",
"password" ) );

if ( currentUserSecCtx.hasRole( "Administrator" ) {
//show an admin button
} else {
//don't show it? grey it out?
}

currentUserSecCtx.getSession().setAttribute( "key", "my value to use
later" );

//later on in the app:
currentUserSecCtx.invalidate(); //logout and release any Session that
might have been used

I hope that whets your appetite. Please look out in two weeks for 1.0
and give us your feedback!

Best regards,

Les Hazlewood
JSecurity project founder

Jesse O'Neill-Oine

unread,
Jan 17, 2008, 2:11:40 PM1/17/08
to groo...@googlegroups.com
Awesome, thanks for chiming in Les.  I've used Acegi in my apps thus far, because I wasn't aware of JSecurity.  I have been less than thrilled with the Acegi plugin for Grails, though, so if JSecurity 1.0 has good Grails support it may just be enough for me to switch.  How close would you say you are to parity with Acegi at this point?  What parts are missing?

Unrelated: Are you local?  I'm just curious and if you are would love to have a presentation about JSecurity if you're interested. :)

Jesse

Jesse O'Neill-Oine // je...@refactr.com
Refactr LLC // http://refactr.com
mobile // 612-670-5037
----------------------------------------------------------

Scott Vlaminck

unread,
Jan 17, 2008, 2:37:33 PM1/17/08
to groo...@googlegroups.com
For those that may have missed it, there was a good discussion of
Acegi and JSecurity on the grails user list a week ago as well. Les
did a good job of explaining JSecurity there too.

http://www.nabble.com/Acegi-to14348354.html#a14677302


I've only used Acegi and didn't know anything about JSecurity until
the discussion on the grails list, but I plan to switch for my next
project.

Scott

--
-------------------------------------------------
Scott Vlaminck // sc...@refactr.com


Refactr LLC // http://refactr.com

mobile // 612-386-9382
-------------------------------------------------

Les

unread,
Jan 17, 2008, 5:03:29 PM1/17/08
to Groovy Users of Minnesota
Hi Jesse,

Peter Ledbrook, the JSecurity Grails plugin maintainer has been doing
a great job getting JSecurity cleanly integrated. After I release
JSecurity 1.0 in a week or two, he'll implement the necessary changes
in the plugin as soon as his time permits.

As far as a full Acegi comparison is concerned, I'm afraid I don't
know exactly what low level parts are different from either
framework. I do know that Authentication, Authorization, pluggable
authentication modules (JSecurity calls these 'Realms'), remember me
login, securing URLs, etc, are all supported already (or will be in
1.0). It is the low-level comparison where I'm not knowledgeable. I
do know one big difference between the two frameworks is that
JSecurity's Session management infrastructure is second to none -
there are no other frameworks available that can do what it does
(Acegi doesn't provide any such functionality to the best of my
knowledge).

One of the other things I'm happy with is that JSecurity was built
from the ground up to work without Spring, but still be perfectly
Spring 'integratable'. I.e. It was built with Dependency Injection
always in mind, because I personally use Spring for everything - I
wanted perfect support, but still not be tied to Spring from an
architectural or even implementation perspective. But it worked out
quite well, and JSecurity's full Spring support (including AOP
annotations) is only like 4 or 5 classes :) It also can integrate
with PicoContainer or Google Guice and the new JBoss Microcontainer
seamlessly. (I know Acegi wasn't designed like this from the
beginning, but their team has made great strides to eliminate this
problem now).

And just let me be clear to everyone - I have a tremendous amount of
respect for Ben Alex and the rest of the Acegi team. We just do
things a little differently and think about things differently. I'd
like to say that JSecurity is far easier to understand, and that a lot
of things just 'make sense', with low configuration, but I am
definitely biased - but it is what I strive for. I want an insanely
low learning curve :) It is my opinion that a security framework
(most frameworks in fact) should just stay out of your way and do as
much as they can on your behalf without much intervention. I guess a
purely subjective comparison that I often think of is that I feel
JSecurity is to Acegi as say, Sitemesh is to Tiles - both are great,
and do mostly the same things, but their approaches differ.

And as to my location, I'm sad to say that I'm not close to
Minnesota :/ I live and work in Atlanta, so that would be a bit of a
trip for me. I've given some JUG presentations, but I plan to have
some screencasts eventually on jsecurity.org to alleviate the travel
problem.

Anyway, when you start using JSecurity, please drop me a line or post
in our forums. I'm eager to help people out and listen to suggestions
(and constructive criticism!) to make the framework better for
everyone. But if we do our job well enough, perhaps we might not hear
from you at all ;)

Best regards,

Les

On Jan 17, 2:11 pm, "Jesse O'Neill-Oine" <je...@refactr.com> wrote:
> Awesome, thanks for chiming in Les. I've used Acegi in my apps thus far,
> because I wasn't aware of JSecurity. I have been less than thrilled with
> the Acegi plugin for Grails, though, so if JSecurity 1.0 has good Grails
> support it may just be enough for me to switch. How close would you say you
> are to parity with Acegi at this point? What parts are missing?
>
> Unrelated: Are you local? I'm just curious and if you are would love to
> have a presentation about JSecurity if you're interested. :)
>
> Jesse
>
> --
> ----------------------------------------------------------
> Jesse O'Neill-Oine // je...@refactr.com
> Refactr LLC //http://refactr.com
> mobile // 612-670-5037
> ----------------------------------------------------------

Peter Wolf

unread,
Jan 18, 2008, 10:35:29 AM1/18/08
to groo...@googlegroups.com
Can someone point me to a document describing the creation and
initialization of Grails Domain objects.

I want to create a object where the user fills in some of the
properties, and then others are calculated from those values. I need to
run code after the "create" or "edit" behavior, but before the object is
used.

Should I just write a custom create and edit, or is there a better way?

Thanks
P

Reply all
Reply to author
Forward
0 new messages