Java EE的Spring Security框架？ [英] Framework like Spring Security for Java EE?

问题描述

Spring Security提供了许多强大的安全机制，但它并不适合Java EE（EJB）环境。一个问题是Spring Security将SecurityContext存储在不适用于集群的ThreadLocal对象中。 Spring Security依靠来自Spring内核的服务（例如AOP），如果EJB容器管理该对象则不可用。而Spring Security需要Spring内核来连接本身，因为Java EE已经有依赖注入机制，所以我想避免的。

Spring Security offers many powerful security mechanisms but it doesn't fit properly into a Java EE (EJB) environment. One problem is that Spring Security stores the SecurityContext in a ThreadLocal object which is not suitable for clusters. Spring Security relies on services (AOP for example) from Spring core which are not available if the EJB container manages the object. And Spring Security needs Spring core to wire itself, what I'd like to avoid since Java EE has already dependency injection mechanisms.

是否有安全框架裁剪为Java EE制作？我想拥有ACL或更灵活的角色机制。

Is there a security framework tailor-made for Java EE? I'd like to have ACLs or a more flexible role mechanisms for example.

推荐答案

如果Java EE安全模型和Spring Security都不适合您的需要，那么恐怕您必须自行创建自定义解决方案 - 也许是自定义JAAS LoginModule - 因为你不会找到任何等同的东西（至少不是在我的知识的开源世界）。但是请注意，JAAS并不是一个愉快的API，这不是一件容易的事情。有关此主题的更多资源，请参阅有关安全性的更多信息 （见页面底部）。

If neither the Java EE security model nor Spring Security suit your needs, then I'm afraid you'll have to roll out your own custom solution - maybe a custom JAAS LoginModule - as you won't find anything equivalent (at least not in the open source world to my knowledge). But be aware, JAAS is not really a pleasant API and this won't be an easy task. More resources on this topic in Further Information about Security (see the bottom of the page).

这篇关于Java EE的Spring Security框架？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！