Shiro vs. SpringSecurity [英] Shiro vs. SpringSecurity

问题描述

我目前正在评估基于Java的安全框架，我是一个Spring 3.0用户，所以SpringSecurity似乎是正确的选择，但Spring安全性似乎过于复杂，它似乎并不像是让安全更容易实施，Shiro似乎更连贯，更容易理解。我正在寻找这两个框架之间的利弊列表。

I have currently evaluating Java based security frameworks, I am a Spring 3.0 user so it seemed that SpringSecurity would be the right Choice, but Spring security seems to suffer from excessive complexity, it certainly does not seem like it is making security easier to implement, Shiro seems to be much more coherent and easier to understand. I am looking for lists of pros and cons between these two frameworks.

推荐答案

我也同意Spring Security感觉太复杂了（至我）。当然，他们已经做了降低复杂性的事情，比如创建自定义XML命名空间以减少XML配置的数量，但对我来说，这些并不能解决Spring安全性的我的个人基本问题：它的名称和概念通常会让我感到困惑。很难得到它。

I too agree that Spring Security feels too complicated (to me). Sure, they have done things to reduce complexity, like creating custom XML namespaces to reduce the quantity of XML configuration, but for me, these don't address my personal fundamental issue with Spring Security: its names and concepts are often confusing in general to me. It's hard to just 'get it'.

你开始使用Shiro的第二个，你就是'得到它'。在安全领域难以理解的是更容易理解。在JDK中使用难以忍受的事情（例如密码）被简化到不仅可以忍受的水平，而且通常是使用的乐趣。

The second you start using Shiro though, you just 'get it'. What was hard to understand in the security world is just that much easier to understand. Things that are unbearably difficult to use in the JDK (e.g. Ciphers) are simplified to a level that is not just bearable, but often a joy to use.

例如，如何在Java或Spring Security中对密码进行哈希+ salt和base64编码？与Shiro的解决方案一样简单直观：

For example, how do you hash+salt a password and base64 encode it in Java or Spring Security? Neither are as simple and intuitive as Shiro's solution:

ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
new Sha512Hash(password, salt).toBase64();

不需要commons-codec或其他任何东西。只是Shiro jar。

No need for commons-codec or anything else. Just the Shiro jar.

现在关于Spring环境，大多数Shiro开发人员都使用Spring作为他们的主要应用程序环境。这意味着Shiro的Spring集成非常棒，而且一切都运行得非常好。您可以放心，如果您正在编写Spring应用程序，那么您将获得全面的安全体验。

Now with regards to Spring environments, most of the Shiro developers use Spring as their primary application environment. That means Shiro's Spring integration is superb and it all works exceptionally well. You can rest assured that if you're writing a Spring app, you'll have a well-rounded security experience.

例如，考虑一下Spring XML配置示例这个帖子中的另一篇文章。以下是你在Shiro中（基本上）做同样的事情：

For example, consider the Spring XML config example in another post in this thread. Here's how you'd do (essentially) the same thing in Shiro:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login.jsp"/>
    <property name="successUrl" value="/home.jsp"/>
    <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
    <property name="filterChainDefinitions">
        <value>
        /secure/** = authc
        /** = anon
        </value>
    </property>
</bean>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="realm" ref="myRealm"/>
</bean>

<bean id="myRealm" class="...">
    ...
</bean>

虽然略多于另一个Spring示例，它更容易阅读IMO。

Although slightly more verbose than the other Spring example, it is easier to read IMO.

您还会发现使用Shiro的过滤器链定义可能是定义通用过滤器链和基于Web的最简单方法安全规则永远！比在web.xml中定义它们要好得多。

You'll also find using Shiro's filter chain definitions are probably the easiest way to define general filter chains and web-based security rules ever! Much nicer than defining them in web.xml.

最后，Shiro也提供了极端的可插拔性。你会发现，由于Shiro的POJO /注入友好架构，你可以配置和/或替换任何东西。 Shiro默认几乎所有内容都是默认值，你可以只覆盖或配置你需要的东西。

Finally, Shiro offers extreme 'pluggability' as well. You'll see that you can configure and/or replace just about anything because of Shiro's POJO/injection-friendly architecture. Shiro defaults almost everything to sane defaults and you can override or configure only what you need.

在一天结束时，我认为选择这两者中的任何一个更多是关于你的心理模型 - 两者中哪一个更有意义，更直观？对于一些人来说，这将是Shiro，对于其他人来说，它将是Spring Security。 Shiro在Spring环境中运行得很好，所以我想根据你喜欢的两个中的哪一个选择并对你最有意义。

At the end of the day, I think choosing either of these two is more about your mental model - which of the two make more sense and is more intuitive for you? For some it will be Shiro, for others it will be Spring Security. Shiro works great in Spring environments, so I would say choose based on which of the two you enjoy more and makes the most sense to you.

有关Shiro的Spring集成的更多信息： http://shiro.apache.org/spring.html

For more on Shiro's Spring integration: http://shiro.apache.org/spring.html

这篇关于Shiro vs. SpringSecurity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！