Apache Shiro vs Spring Security

Printable View

Mar 15th, 2011, 09:26 PM
skram

Apache Shiro vs Spring Security

Apache Shiro and Spring Security seems to be competing frameworks when it comes to application security.

I'm not going to ask the usual question i.e what's the main difference but rather something strikingly odd I read at Infoq

Quote:

Who’s Using Shiro?
Many open-source communities are using Shiro as well, for example, Spring, Grails, Wicket, Tapestry, Tynamo, Mule, and Vaadin, just to name a few.

Source: http://www.infoq.com/articles/apache-shiro

What part of Spring uses Shiro exactly? Where does Spring Security take part in the Spring portfolio if that's really the case? Is there something that Shiro has that Spring Security can't do for the Spring team?

Thanks. Just a curious thought
Mar 16th, 2011, 02:13 PM
lhazlewood

Hi there,

The article says "many open-source communities". A community includes both the development team and its users. There are very many Spring users that use Apache Shiro in their Spring applications.

The Spring development team does not use Shiro in any part of its framework that I am aware of. However, the Shiro team (and its end-users) often use Spring for their own applications, so Shiro provides a complete Spring integration solution out-of-the-box for anyone wishing to use Shiro instead of Spring Security as their preferred application security API.

There are enough differences between the two frameworks, but the basic idea is that they differ based on scope and mental model/design. Also Shiro has a broader scope than Spring Security (to the best of my knowledge) in that it also addresses problems associated with enterprise session management (agnostic session clustering, SSO, etc) as well as cryptography, concurrency, etc. Finally, Shiro was designed from day one to work in all application environments (Spring, JEE, command line, smartphone, etc) - not just Spring environments.

Both frameworks are top notch, maintained by top-notch people - their scope and design/models are just different.

HTH,

Les
- Apache Shiro Chair and author of the InfoQ article and a _very_ long time Spring user and contributor since the Interface21 days (I helped write some of the Spring JMS support et. al.).
Mar 16th, 2011, 07:05 PM
skram

@Les, thanks for the clarification. However, I think the problem probably is how the article stated the statement.

Quote:

The article says "many open-source communities". A community includes both the development team and its users....

The Spring development team does not use Shiro in any part of its framework that I am aware of.

Original:

Quote:

Many open-source communities are using Shiro as well, for example, Spring, ...

That statement should be restated as

Quote:

Many users are using Shiro as well, for example, Spring, ...

Since the development team isn't using it for the framework itself. In any case I get your point after you clarified the statement. I'm just being too picky with the words ;)