什么时候从容器管理的安全转移到像 Apache Shiro、Spring Security 这样的替代方案? [英] When to move from Container managed security to alternatives like Apache Shiro, Spring Security?

问题描述

我正在尝试保护使用 JSF2.0 构建的应用程序.

I am trying to secure my application which is built using JSF2.0.

我很困惑人们什么时候选择使用像 Shiro、Spring Security 或 owasp 的 esapi 这样的安全替代方案而放弃容器管理的安全性.看过一些Stack Overflow 上的相关问题，我意识到过去 JSF 开发人员更喜欢基于容器的安全性.但我也被强烈推荐使用 Apache Shiro.我在安全问题方面是新手，不知道可能是什么相关问题&如何对付他们.因此，我正在寻找能够通过其默认设置/自行处理大多数安全问题的东西.

I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving behind container managed security. Having seen some of related questions on Stack Overflow, where I realized that container based security was more preferred by JSF developers in past. But I have also been strongly recommended to use Apache Shiro. I am novice in terms of the security issues and have no idea what may be the relevant issues & how to deal with them. Therefore I'm looking for something that handles most of the security issues through its default settings/ on its own.

就我的应用程序要求而言，我有一个社交应用程序，其中具有不同角色的用户可以访问不同的页面集，并且可以根据他们的角色在这些页面上使用不同级别的功能.

In terms of my application requirements, I have a social application where users with different roles have access to different set of pages and can use different levels of functionality on those pages based on their roles.

在那种情况下，你认为我可以选择什么?

In that case what do you think could be a good option for me to go with ?

我个人一直被说服选择 Shiro，因为它易于使用并且可以为新手处理大部分事情.

I personally have been convinced to opt Shiro since it is easy to use and takes care of most of the things for the novice.

推荐答案

除了以下内容之外，我对 Apache Shiro 一无所知，但是您所引用的内容几乎是逐字逐句地来自他们的 网页，其中包含一些错误陈述，例如[JAAS] 需要只有程序员才能更改的静态定义"，以及JAAS 是与虚拟机级别的问题密切相关"，并且暗示 JAAS 与用户和角色无关，这完全是错误的.我想要很多令人信服的东西来摆脱容器管理的安全性.它是 Servlet 规范的一部分，因此任何容器都必须支持它；很好理解；它由没有第三方的 JDK 类支持；...它对我有用;-)

I know exactly nothing about Apache Shiro except as follows, but what you have quoted comes practically verbatim from their Web page, which contains several mis-statements such as '[JAAS] required static definitions that only programmers could change', and 'JAAS is tied too heavily tied to virtual machine-level concerns', and the implication that JAAS isn't about users and roles, which is simply false. I would want a lot of convincing to move away from container managed security. It's part of the Servlet Specification, so it has to be supported by any container; it's well understood; it is supported by JDK classes with no 3rd parties; ... and it works for me ;-)

这篇关于什么时候从容器管理的安全转移到像 Apache Shiro、Spring Security 这样的替代方案?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！