Apache Shiro or Spring Security??

[Fabricio Pizzichillo]

Hello everyone.
What security and authentication framework works well with a GWT application?
Someone used some as Apache-Shiro or Spring-Security?
What do you recommend?

thanks
Fabricio

[Juan Pablo Gardella]

I use spring security and works. Is robust and mature.

2011/6/21 Fabricio Pizzichillo <fpizzi...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

[Fabricio Pizzichillo]

thanks, I'll do some research on how to integrate

2011/6/21 Juan Pablo Gardella <gardella...@gmail.com>

[Juan Pablo Gardella]

good luck

2011/6/21 Fabricio Pizzichillo <fpizzi...@gmail.com>

[Juan Pablo Gardella]

I do a simple sample that integrate with spring security, but is very basic. Have server side protected method too with jsr-250.

I can't said anything about apache shiro, but if you choose spring security you will no have problems

[Elhanan Maayan]

 we are exploring apache shiro with gwt integration, the reason is first of all, you don't spring beans for it, and 2nd is that also provides for session management which spring security does not.
even folks at spring forums say shiro has much broader scope then security ..

[Nicolas Antoniazzi]

Here, we use Shiro since it is really easy to integrate.

Moreover, Shiro is not tight to Spring... And that's a good thing for us since we use Gin on client and Guice on Server (to not multiply API).

2011/6/22 Elhanan Maayan <elh.ma...@gmail.com>

[Juan Pablo Gardella]

With spring you can use the same API too, JSR-330.

2011/6/22 Nicolas Antoniazzi <nicolas.a...@gmail.com>

[Elhanan Maayan]

but... you need .. spring beans... wouldn't that be the point of the spring container? instrument beans managed in it?

[Fabricio Pizzichillo]

Can share how youdo it?

2011/6/22 Nicolas Antoniazzi <nicolas.a...@gmail.com>

[objectuser]

There are only a few things you need to do, actually.  It's mostly around:

1. Creating a realm (probably by extending AuthorizingRealm)
2. Creating a filter (probably by extending AbstractShiroFilter).  Alternatively, you can use their INI filter, which provides some DI-like things, if you're not using something like Guice.
   

I think Shiro is far easier to use than Spring Security, personally.  However, the hard part is there is a lot more and better documentation for Spring Security.  I also find Shiro to be relatively light-weight, like Guice, in comparison with Spring.  I like Spring a lot, don't get me wrong, but there are reasons for it and Guice, depending on your needs.

[yes2000]

I think the major problem is "How you handle secured issue during RPC invocation?"
Your GWT application should distinguish RPC exception whether a security exception.
and give client a log-in option(dialog or redirect to new page).

If you don't use gin, gwtsecurity is a good choice.