Although Spring Security is hot at present, Shiro’s market still exists. Today, I will briefly talk about these two frameworks, so as to facilitate you to choose your own Security management framework in actual projects.

I want to start by stating that frameworks are not good or bad, but are appropriate for the current project scenario, and as a young programmer you should not play favorites or refuse to learn one framework over another.

Multiple-choice for kids, both for adults!

So the following is mainly based on my own experience to talk about the advantages and disadvantages of the two frameworks, where not mentioned is also welcome to leave a comment.

1. Spring Security

1.1 Because of SpringBoot

Spring Security is not a new thing. It was originally called Acegi Security. The name Acegi Security does not mean that it has nothing to do with Spring. It still provides security support for the Spring framework. In fact, few frameworks in the Java domain can exist independently of the Spring framework.

When Spring Security was called Acegi Security, it worked fine, but it didn’t really catch on. The most important reason was that it was too cumbersome to configure. At that time, there was a saying on the Internet: “Every time someone tried to use Acegi Security, a genie died.” This shows how horrible Acegi Security is configured. To this day, when people talk about Spring Security, they talk about how cumbersome it is to configure.

Things slowly began to change when Acegi Security jumped into Spring’s arms and was renamed Spring Security. The new development team has been working hard to simplify the configuration of Spring Security, which is much simpler than Acegi Security. But for the first few years, Spring Security was still not widely used.

Until one day Spring Boot appeared like a puzzle on the edge of the lake, completely upending the world of JavaEE. Since the popularity of Spring Boot, all Spring family products have been taken with them, and Spring Security is one of the beneficiaries. Since then, Spring Security has become a phoenix.

Spring Boot/Spring Cloud is now the most mainstream technology stack in Java development, and there is no doubt that doing security management in Spring Boot/Spring Cloud, Spring Security is by far the most convenient.

If you want to protect interfaces in Spring Boot, add a Spring Security dependency and you’re done. All interfaces are protected, without even a single line of configuration.

For those of you who may think this is too general, let me give you another practical example.

In a microservices architecture project, we might use Eureka as a service registry. By default, Eureka does not do Security management. If you want to add Security management to Eureka, you just add Spring Security dependencies. Eureka is automatically protected and cannot be easily accessed by others by setting the username and password in the application. When registering, all you need to do is change the registration address to http://username:password@localhost:8080/eureka. A similar example is security management in Spring Cloud Config.

If you want to use Shiro instead of Spring Security in a microservices scenario, the Shiro code can be very large, Spring Security can be easily integrated into the popular Spring Boot/Spring Cloud technology stack. It can be easily integrated with Spring Boot, Spring Cloud, Spring Social, WebSocket, etc.

So I say that Spring Security is getting a lot of credit for the Spring Boot/Spring Cloud boom.

1.2 Is the Configuration Bloated?

“Some people feel that Spring Security is bloated.”

If it is SSM + Spring Security, I think this has some truth.

But if it’s a Spring Boot project, it’s not bloated. In Spring Boot, the automatic starter configuration has greatly simplified the configuration of Spring Security, and we only need to do a small amount of custom authentication and authorization.

“Some people feel that Spring Security is conceptually complex.” This one looks like this, right.

Spring Security is heavyweight and not as portable as Shiro due to its versatility and support for OAuth2.

But if you look at it from a different Angle, you might feel differently.

In Spring Security you will learn many Security management-related concepts, as well as common Security attacks. If you are not an expert in Web Security, there are many possible web attacks and vulnerabilities that you may not be able to imagine. Spring Security lists these Security problems and provides solutions.

So I said that the process of learning Spring Security is also learning web Security. There are all kinds of Security attacks, all kinds of login methods, all kinds of Security problems that you can think of or not think of. Spring Security lists all of them and gives us solutions. From this perspective, Spring Security doesn’t seem so annoying after all.

1.3 Combine the advantages of micro-services

In addition to the advantages of Spring Security introduced in front of you, Spring officially launched Spring Cloud Security and Spring Cloud OAuth2 in micro services, combined with the distributed features of micro services, It makes it easier to use Spring Security and OAuth2 in microservices. The OAuth2 series before Songo are actually based on Spring Cloud Security.

As you can see, Spring officials have been working hard to make Spring Security more integrated into microservices.

2. Shiro

Now let’s talk about Apache Shiro.

Apache Shiro is an open source security framework that provides authentication, authorization, cryptography, and session management. The Shiro framework is intuitive, easy to use, and provides robust Security, although it is not as powerful as Spring Security, but it can be used in regular enterprise applications.

2.1 origin

Shiro grew out of JSecurity, which was founded in 2004 by Les Hazlewood and Jeremy Haile. They couldn’t find the right Java security framework at the application level and were frustrated with JAAS, so they built it.

JSecurity was hosted on SourceForge between 2004 and 2008, with contributors including Peter Ledbrook, Alan Ditzel, and Tim Veil.

In 2008, the JSecurity project contributed to the Apache Software Foundation (ASF) and was accepted as the Apache Incubator Project, managed by the tutor with the goal of becoming a top-level Apache project. During this time, Jsecurity was briefly renamed Ki, and later renamed “Shiro” by the community due to trademark issues. Subsequently the project continued to incubate in Apache Incubator with the addition of contributor Kalle Korhonen.

In July 2010, the Shiro community released version 1.0, after which the community created its project Management committee and elected Les Hazlewood as its chair. On September 22, 2010, Shrio became an Apache Software Foundation Top-level Program (TLP).

2.2 What functions does it have

Apache Shiro is a powerful and flexible open source security framework that cleanly handles authentication, authorization, enterprise session management, and encryption. The primary goal of Apache Shiro is ease of use and understanding. Security can sometimes be complicated, even painful, but it doesn’t have to be. The framework should mask as much complexity as possible, exposing a clean and intuitive API that simplifies the time developers spend on application security.

Here’s what you can do with Apache Shiro:

  1. Authenticate users to verify their identity
  2. Perform access control on the user, for example, determine whether the user is assigned a defined security role. Determine whether the user is allowed to do something
  3. Use the Session API in any environment, even without a Web container
  4. React to events during authentication, access control, or during the life cycle of a session
  5. A data source that aggregates one or more user security data as a single composite user “view”
  6. Single sign-on (SSO) function
  7. Enable the “Remember Me” service for users not associated with a login
  8. .

Apache Shiro is a comprehensive program security framework with many features. The chart below illustrates Shiro’s focus:

Shiro has four cornerstones — authentication, authorization, session management, and encryption.

  1. Authentication: Sometimes referred to simply as “login”, this is the act of proving who the user is.
  2. Authorization: The process of determining who gets access to what.
  3. Session Management: Manages user-specific sessions, even in non-Web or EJB applications.
  4. Cryptography: Keeps data secure and easy to use by using encryption algorithms.

In addition, Shiro provides additional features to address security issues in different environments, especially the following:

  1. Web Support: Shiro’s Web-enabled API makes it easy to help secure Web applications.
  2. Caching: Caching is the first tier citizen in Apache Shiro to ensure that security operations are fast and efficient.
  3. Concurrency: Apache Shiro takes advantage of its Concurrency nature to support multithreaded applications.
  4. Testing: Testing support exists to help you write unit and integration tests.
  5. “Run As” : a feature that allows a user to assume the identity of another user (if allowed), sometimes useful in managing scripts.
  6. “Remember Me” : Remember the user’s identity during the session so that the user only needs to log in when forced.

2.3 Learning Materials

Shiro does not have many learning materials, so I don’t see any relevant books. Zhang Kaitao’s “learn Shiro with me” is a very good information, small partners can search to understand. You can also reply 2TB in the background of the public account, with relevant video tutorials.

2.4 Advantages and Disadvantages

For now, Shiro’s biggest problem is that it is difficult to integrate with the Spring family of products. For a long time after Spring Boot was launched, Shiro did not provide a starter. Later, there was a shro-spring-boot-web-starter, but the configuration wasn’t much simpler. So Shiro has little advantage in the Spring Boot/Spring Cloud technology stack microservices project.

But if you’re a traditional SSM project, not a microservice project, then Shiro is definitely the easiest to use because it’s simple enough and lightweight enough.

3. How to choose

Do development in the company, how to choose these two, or to consider a lot of things.

First, Spring Security is undoubtedly the most convenient for Spring Boot/Spring Cloud based microservice projects.

If it is a normal SSM project, Then Shiro is basically enough.

In addition, when selecting the technology stack, we may also consider the technology stack of the engineers in the team. If the engineers are better at Shiro, then Shiro is undoubtedly appropriate. After all, it may affect the progress of the project to ask the engineers to learn a new technology, and may also bury many unknown mines for the project.

For us personally, kids do multiple choice, adults do both.

Three things to watch ❤️

If you find this article helpful, I’d like to invite you to do three small favors for me:

  1. Like, forward, have your “like and comment”, is the motivation of my creation.

  2. Follow the public account “Java rotten pigskin” and share original knowledge from time to time.

  3. Also look forward to the follow-up article ing🚀

  4. [666] Scan the code to obtain the learning materials package