I am developing a reasonably simple yet fairly distributed system that involves including use of EJBs and other agents, which requires both Authentication and Authorization.
The system will be composed initially by Spring + Hibernate + JSF + JBoss, I will be initially using the Spring Security
Is it safe to rely solely on this Framework? What should I avoid or observe to avoid surprises?
Delfino, you want to make sure that by choosing Spring Security for Authentication and Authorization, you will have no problems in the future.
The answer is: o Spring Security can perfectly meet your needs, and it is not necessary for any reason to use JAAS directly. You can trust him.
I've done a lot of research looking for comparisons between Spring Security and JAAS, and I've found that both are excellent in their proposals, Spring, offering an excellent taglib.
Here is a link to the official Spring Security documentation for JSF integration:
As for surprises it's hard to say, as it may depend a lot on the type of application you're building, there are no perfect Frameworks, there can always be improvements, new features, and bugs in every framework. I recommend you take a look at the Issues.
Issues :
I also took a look at the most critical Issues in Spring Security development at a glance:
Tips and Tricks for Spring Security
