Java Web 应用程序的认证和授权框架
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3351127/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Authentication and Authorization Framework for Java Web-Application
提问by Sven
I am programming a Web-Application with Java EE, JSF and Hibernate. I do not use Spring or EJB! Now I am at the point where to implement authentication and authorization. I need to access an Active Directory or LDAP. And I want to implement my own roles, that are not retrieved from the AD/LDAP.
我正在使用 Java EE、JSF 和 Hibernate 编写 Web 应用程序。我不使用 Spring 或 EJB!现在我正在实施身份验证和授权。我需要访问 Active Directory 或 LDAP。我想实现我自己的角色,这些角色不是从 AD/LDAP 中检索到的。
My Question is: What's the easiest way to implement that? Should I use a framework like JAAS/Apache Shiro? And which one is best for my intetions?
我的问题是:实现它的最简单方法是什么?我应该使用像 JAAS/Apache Shiro 这样的框架吗?哪一个最适合我的意图?
About the little role concept: I planned to set up a property-file, where I can configure the roles. I have only few roles, so a big concept is not that necessary?!
关于小角色概念:我计划建立一个属性文件,我可以在其中配置角色。我的角色不多,大概念没必要吧?!
I am very glad of any recommendation or suggestion.
我很高兴有任何推荐或建议。
回答by Les Hazlewood
It is definitely not true that "Spring Security is the single most versatile auth / auth provider there is" - that's just unfounded hype.
“Spring Security 是最通用的身份验证/身份验证提供者”这绝对不是真的——这只是毫无根据的炒作。
Apache Shiro can handle more use cases than Spring Security, if only because SS doesn't support enterprise session management or have simplified cryptography out of the box (Shiro does). Shiro also supports a much finer-grained security model out of the box (e.g. Shiro's WildcardPermission). Shiro also does LDAP and Active Directory. Also note that Shiro was built from day one with architectural foundations to work in any application environment, not just Spring applications (but it excels in Spring apps for sure). The same can not be said of Spring Security (it was indeed built initially for only Spring applications).
Apache Shiro 可以处理比 Spring Security 更多的用例,这仅仅是因为 SS 不支持企业会话管理或开箱即用的简化加密(Shiro 支持)。Shiro 还支持开箱即用的更细粒度的安全模型(例如 Shiro 的 WildcardPermission)。Shiro 还负责 LDAP 和 Active Directory。另请注意,Shiro 从一开始就构建了在任何应用程序环境中工作的架构基础,而不仅仅是 Spring 应用程序(但它肯定在 Spring 应用程序中表现出色)。Spring Security 就不是这样了(它最初确实是为 Spring 应用程序构建的)。
As far as a small number of users and/or roles, you can easily do that in the shiro.ini file. For example:
对于少量用户和/或角色,您可以在shiro.ini 文件中轻松完成。例如:
[main]
...
[users]
jsmith = password, role1
ajones = anotherPassword, role1, role2
[roles]
role1 = perm1, perm2, ..., permN
role2 = permA, permB, ..., permZ
At the end of the day, both Apache Shiro and Spring Security are great frameworks - both stand well on their own merits. Your choice should be based on which one fits your mental model better (which interfaces and class names make more sense? Which is easier for you to understand and use?)
归根结底,Apache Shiro 和 Spring Security 都是很棒的框架——两者都各有千秋。你的选择应该基于哪个更适合你的心智模型(哪些接口和类名更有意义?哪个更容易理解和使用?)
Cheers,
干杯,
Les
莱斯
回答by Sven
回答by Sean Patrick Floyd
Whether you use the spring container for your application or not (you should :-)), Spring Securityis the single most versatile auth / auth provider there is. Here is a brief overview of what it can do.
无论您是否为您的应用程序使用 spring 容器(您应该:-)),Spring Security是最通用的身份验证/身份验证提供程序。下面是它可以做什么的简要概述。
(You can use spring security even if you don't use spring for the rest of your app)
(即使您不为应用程序的其余部分使用 spring,您也可以使用 spring 安全性)
