JAAS or Spring Security in page control

12

I'm doing a project in Eclipse with JSF 2.2, JPA 2.1, Hibernate 5, Primefaces 5.3, CDI (weld 1.1).

I want to implement the security part of the application and I am in doubt between JAAS and Spring Security.

The template below corresponds to what I want to do:

The registration of pages will be fixed in the database, but the registration of profiles and people will be dynamic, ie, I will be able to register several access profiles (with several pages) and link them to people.

My questions are:

  • What best fit my model, JAAS or Spring Security? Or would it be better to do this (Filter)?
  • Both JAAS and Spring Security work with roles, are these roles always fixed in the system? To have a control on each page would I have to have one scroll per page?
  • Do you have an example to tell me?
  • asked by anonymous 01.12.2015 / 14:30

    2 answers

    2

    I opted for Spring Security in my applications because it is a consolidated framework and I have no pretensions to reinvent the wheel. Some reasons:

  • Highly editable, that is, if I want, I can reset all authentication parameters and classes;
  • If I want to implement OAuth 2.0, Spring makes it easier to implement than if I were to do it manually;
  • This is an open-source where the community is very active;
  • Works with Roles both in the bank, uses technologies like JPA, and inMemory;
  • It has XSS and CRFS prevention, things that nobody cares about, and other things I did not care about, but a malicious person will certainly use it;
  • Accepts annotations and XML, giving the option to the programmer;
  • It is very well seen in the security of JAVA applications;
  • Spring, not just the security module, is always one step ahead of programming flexibility;
  • If you use Spring Boot your application development becomes almost magical because it joins Spring's best in a single project;
  • If you want to expand your application, it will certainly meet your need;
  • Security can be in various places, p. Eg in the jpa function that registers something, in the controller or in the page itself. Giving flexibility without leaving security.
  • There are other reasons, but over time you will notice that it is the best choice these days.

    If you choose not to use Spring Security, I do not recommend trying to reinvent the wheel primarily in the security branch unless you have a pentester to analyze and test your security implementation. Anyway, avoid headache and use some specialized framework in this and have active community for you to ask questions.

    I recommend visiting the site and analyzing the projects in particular Spring Boot and Security.

    Link to Spring

        
    12.06.2016 / 01:33
    1

    In the company I'm currently doing the security validations on hand, because of this we are not stuck to any API limitation. With this, we mapped routines that are linked to the profile, or user account, and verify routines linked to his profile when he (user) attempts to access a page. The routine-page mapping, we did through the pretty id of each page.

        
    12.05.2016 / 21:34