何时从Container托管安全迁移到Apache Shiro，Spring Security等替代方案？ [英] When to move from Container managed security to alternatives like Apache Shiro, Spring Security?

问题描述

我正在尝试保护使用JSF2.0构建的应用程序。

I am trying to secure my application which is built using JSF2.0.

我很困惑人们何时选择使用Shiro，Spring等安全替代方案安全或owasp的esapi留下容器管理安全。看过一些关于Stack Overflow的相关问题，我意识到JSF开发人员过去更喜欢基于容器的安全性。但我也强烈建议使用Apache Shiro。我是安全问题的新手，不知道可能是什么相关问题&如何处理它们。因此，我正在寻找能够通过其默认设置处理大多数安全问题的东西。

I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving behind container managed security. Having seen some of related questions on Stack Overflow, where I realized that container based security was more preferred by JSF developers in past. But I have also been strongly recommended to use Apache Shiro. I am novice in terms of the security issues and have no idea what may be the relevant issues & how to deal with them. Therefore I'm looking for something that handles most of the security issues through its default settings/ on its own.

就我的应用程序要求而言，我有一个社交应用程序具有不同角色的用户可以访问不同的页面集，并可以根据他们的角色在这些页面上使用不同级别的功能。

In terms of my application requirements, I have a social application where users with different roles have access to different set of pages and can use different levels of functionality on those pages based on their roles.

在这种情况下，您认为可以做什么？对我来说是个不错的选择吗？

In that case what do you think could be a good option for me to go with ?

我个人已经确信选择Shiro因为它易于使用并且为新手照顾大部分事情。

I personally have been convinced to opt Shiro since it is easy to use and takes care of most of the things for the novice.

推荐答案

除了以下内容之外，我对Apache Shiro一无所知，但你引用的内容实际上是从他们的网页，其中包含几个错误陈述，例如'[JAAS]所需的静态定义程序员可以改变'，'JAAS也是如此严重依赖于虚拟机级别的关注点，以及JAAS与用户和角色无关的含义，这简直是错误的。我希望有很多令人信服的方法来摆脱容器管理的安全性。它是Servlet规范的一部分，因此必须由任何容器支持;它很好理解;它由JDK课程支持，没有第三方; ......它对我有用; - ）

I know exactly nothing about Apache Shiro except as follows, but what you have quoted comes practically verbatim from their Web page, which contains several mis-statements such as '[JAAS] required static definitions that only programmers could change', and 'JAAS is tied too heavily tied to virtual machine-level concerns', and the implication that JAAS isn't about users and roles, which is simply false. I would want a lot of convincing to move away from container managed security. It's part of the Servlet Specification, so it has to be supported by any container; it's well understood; it is supported by JDK classes with no 3rd parties; ... and it works for me ;-)

这篇关于何时从Container托管安全迁移到Apache Shiro，Spring Security等替代方案？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！