I have recently had to evaluate both shiro and spring security. We went with spring security (in fact we extended spring security to use the shiro permission strings in a better way - with instance variables on annoations).

我最近不得不评估 shiro 和 spring 安全性。我们使用了 spring security（事实上，我们扩展了 spring security 以更好的方式使用 shiro 权限字符串 - 在注释上使用实例变量）。

Spring Security

春季安全

• under active development.
• has much more community support.
• Spring security has extensions providing support for both Oauthand kerberosand SAML.

• 正在积极发展中。
• 有更多的社区支持。
• Spring security 有扩展提供对Oauth和kerberos和SAML 的支持。

Shiro

四郎

• Does not support saml or Oauth.
• Makes no mention of supporting before and after security policies.
• Active development seems limited, the website still contains erroneous information.

• 不支持 saml 或 Oauth。
• 没有提到在安全策略之前和之后的支持。
• 积极发展似乎有限，网站仍然 包含错误信息。

Many of the Shiro developers use Spring for their applications, so Shiro works beautifully in Spring environments. The general feedback we've received thus far is that Shiro is also far easier to understand (for most people) than Spring Security.

许多 Shiro 开发人员在他们的应用程序中使用 Spring，因此 Shiro 在 Spring 环境中工作得很好。到目前为止，我们收到的一般反馈是 Shiro 也比 Spring Security 更容易理解（对大多数人而言）。

If you want full Session clustering support across any web container however, only Shiro will support this easily. Shiro's crypto is also very simple/easy to use.

但是，如果您想要跨任何 Web 容器的完整会话集群支持，只有 Shiro 会轻松支持。Shiro 的加密也非常简单/易于使用。

Choose which fits your mental model best - both will work great in Spring environments.

选择最适合你的心智模型的——两者都将在 Spring 环境中工作得很好。

I have evaluated both Shiro and Spring security. The main advantage that people claim about Shiro is simplicity, but I believe that Spring Security (3.0) is not crazy complicated. It took me almost the same amount of lines of configuration to set up. Also Spring Security is much better documented than Shiro. But the main issue with Shiro it is that it doesn't support OAuth or Digest Authetication (they are planning to include it in the future https://issues.apache.org/jira/browse/SHIRO-20). My conclusion: Today I would go for spring security.

我已经评估了 Shiro 和 Spring 的安全性。人们声称 Shiro 的主要优点是简单，但我相信 Spring Security (3.0) 并不复杂。我花了几乎相同数量的配置行来设置。Spring Security 的文档也比 Shiro 好得多。但是 Shiro 的主要问题是它不支持 OAuth 或 Digest Authetication（他们计划在未来将其包含在https://issues.apache.org/jira/browse/SHIRO-20 中）。我的结论：今天我要去春季安全。

Shiro is better to use. Its code much simple which provides you flexibility to extend it and provide your custom behaviour wherever needed. It also provides internal cache implementation of Ehcache through which you can replicate session on server clusters. If you are going to design RBAC(Role based access control) system for your application it will provide you flexibility to handle asset level permission and its access control mechanism is much flexible as compared to spring security.

Shiro 更好用。它的代码非常简单，可让您灵活地扩展它并在任何需要的地方提供您的自定义行为。它还提供了 Ehcache 的内部缓存实现，您可以通过它在服务器集群上复制会话。如果您打算为您的应用程序设计 RBAC（基于角色的访问控制）系统，它将为您提供处理资产级别权限的灵活性，并且与 Spring Security 相比，其访问控制机制更加灵活。

Spring Security and Shiro both sets awesome with Spring framework. i have tested both of them . for me spring security was easy to integrate and is totally understandable according to developer points of view. and Shiro is also easy to integrate but for me Spring is more easy to integrate.

Spring Security 和 Shiro 都非常适合 Spring 框架。我已经测试了他们两个。对我来说，spring security 很容易集成，并且根据开发人员的观点是完全可以理解的。并且 Shiro 也很容易集成，但对我来说 Spring 更容易集成。