Shiro 与 SpringSecurity [英] Shiro vs. SpringSecurity

问题描述

我目前正在评估基于 Java 的安全框架，我是 Spring 3.0 用户，所以 SpringSecurity 似乎是正确的选择，但 Spring 安全似乎过于复杂，它似乎并没有让安全变得更容易实施起来，Shiro 似乎更加连贯，也更容易理解.我正在寻找这两个框架之间的优缺点列表.

I have currently evaluating Java based security frameworks, I am a Spring 3.0 user so it seemed that SpringSecurity would be the right Choice, but Spring security seems to suffer from excessive complexity, it certainly does not seem like it is making security easier to implement, Shiro seems to be much more coherent and easier to understand. I am looking for lists of pros and cons between these two frameworks.

推荐答案

我也同意 Spring Security 感觉太复杂(对我来说).当然，他们已经做了一些事情来降低复杂性，比如创建自定义 XML 命名空间来减少 XML 配置的数量，但对我来说，这些并没有解决我关于 Spring Security 的个人基本问题:它的名称和对我来说，概念通常令人困惑.只是得到它"很难.

I too agree that Spring Security feels too complicated (to me). Sure, they have done things to reduce complexity, like creating custom XML namespaces to reduce the quantity of XML configuration, but for me, these don't address my personal fundamental issue with Spring Security: its names and concepts are often confusing in general to me. It's hard to just 'get it'.

不过，当您开始使用 Shiro 时，您就明白了".在安全世界中难以理解的事情变得更容易理解.在 JDK 中难以使用的东西(例如密码)被简化到一个不仅可以忍受的水平，而且通常使用起来很愉快.

The second you start using Shiro though, you just 'get it'. What was hard to understand in the security world is just that much easier to understand. Things that are unbearably difficult to use in the JDK (e.g. Ciphers) are simplified to a level that is not just bearable, but often a joy to use.

例如，如何在 Java 或 Spring Security 中对密码进行 hash+salt 和 base64 编码?两者都不像 Shiro 的解决方案那样简单直观:

For example, how do you hash+salt a password and base64 encode it in Java or Spring Security? Neither are as simple and intuitive as Shiro's solution:

ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
new Sha512Hash(password, salt).toBase64();

不需要公共编解码器或其他任何东西.只是 Shiro 罐子.

No need for commons-codec or anything else. Just the Shiro jar.

现在关于 Spring 环境，大多数 Shiro 开发人员使用 Spring 作为他们的主要应用程序环境.这意味着 Shiro 的 Spring 集成非常棒，而且一切都非常好.您可以放心，如果您正在编写 Spring 应用程序，您将获得全面的安全体验.

Now with regards to Spring environments, most of the Shiro developers use Spring as their primary application environment. That means Shiro's Spring integration is superb and it all works exceptionally well. You can rest assured that if you're writing a Spring app, you'll have a well-rounded security experience.

例如，请考虑本主题中另一篇文章中的 Spring XML 配置示例.以下是您在 Shiro 中(基本上)如何做同样的事情:

For example, consider the Spring XML config example in another post in this thread. Here's how you'd do (essentially) the same thing in Shiro:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login.jsp"/>
    <property name="successUrl" value="/home.jsp"/>
    <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
    <property name="filterChainDefinitions">
        <value>
        /secure/** = authc
        /** = anon
        </value>
    </property>
</bean>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="realm" ref="myRealm"/>
</bean>

<bean id="myRealm" class="...">
    ...
</bean>

尽管比其他 Spring 示例稍微冗长一些，但 IMO 更易于阅读.

Although slightly more verbose than the other Spring example, it is easier to read IMO.

您还会发现使用 Shiro 的过滤器链定义可能是定义通用过滤器链和基于 Web 的安全规则的最简单方法！比在 web.xml 中定义它们要好得多.

You'll also find using Shiro's filter chain definitions are probably the easiest way to define general filter chains and web-based security rules ever! Much nicer than defining them in web.xml.

最后，Shiro 还提供了极端的可插拔性".您会看到，由于 Shiro 的 POJO/注入友好架构，您几乎可以配置和/或替换任何内容.Shiro 几乎将所有内容都默认为合理的默认值，您可以仅覆盖或配置您需要的内容.

Finally, Shiro offers extreme 'pluggability' as well. You'll see that you can configure and/or replace just about anything because of Shiro's POJO/injection-friendly architecture. Shiro defaults almost everything to sane defaults and you can override or configure only what you need.

归根结底，我认为选择这两个中的任何一个更多地取决于您的心智模型——这两个中哪一个更有意义，对您来说更直观?对于某些人来说，它将是 Shiro，对于其他人来说，它将是 Spring Security.Shiro 在 Spring 环境中工作得很好，所以我会说根据你更喜欢这两个中哪一个对你最有意义来选择.

At the end of the day, I think choosing either of these two is more about your mental model - which of the two make more sense and is more intuitive for you? For some it will be Shiro, for others it will be Spring Security. Shiro works great in Spring environments, so I would say choose based on which of the two you enjoy more and makes the most sense to you.

有关 Shiro 的 Spring 集成的更多信息:http://shiro.apache.org/spring.html

For more on Shiro's Spring integration: http://shiro.apache.org/spring.html

这篇关于Shiro 与 SpringSecurity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！