I've been looking for a Grails lib that will provide login functionality for a website. Seems to be a few tuts out there that are building things from scratch, which doesn't appeal. These two libs seem promising:
I'm inclined towards using the spring libs, but figure there must be a reason Marc Palmer wrote the second. Any thoughts on the above?
On Tue, Apr 17, 2012 at 5:03 PM, Joel Gerard <[hidden email]> wrote:
I've used spring-security on a number of significantly complex webapps and web services in the past, when implementing via a non-grails spring-mvc webapp, so it was a no brainer for me to use the spring-security-core plugin in my first grails app, too. As a long-time spring-security user, I found the integration to be quite seamless and easy to set up and it has worked without issue - but it is a not-insignificant package of functionality if you aren't already familiar with it - which may make it harder to learn than I experienced when integrating it with my grails app. I see no reason not to recommend it, though, and like pretty much all things spring, it is eminently configurable and extensible if you need to add functionality that isn't available out of the box. A (very) quick scan of the second plugin's documentation doesn't show anything resembling roles - just loggedIn vs notLoggedin so if you need finer grained control over access, I'm not sure it's a candidate without extending the existing functionality.
Incidentally, there's a nice spring-security-core tutorial available as a springsource blog entry that predates the most recent version of the plugin but does a nice job of mentioning differences between old and new via sidebars and otherwise takes you through basic setup in a matter of minutes. The full documentation of the plugin is also quite comprehensive.
I put together a screencast that covers getting started with the Spring-Security-Core plugin (and resources plugin) with Grails 2.0 if you decide to go that path.
There also is the Shiro plugin (http://grails.org/plugin/shiro) which is a good alternative if you decide you don't want to use Spring Security for some reason.
Hope that helps!
I recently switched from shiro to spring-security. Shiro is great for simple use cases, but the simplicity breaks down when you start talking about ACLs, advanced administration of users, or integrating with other auth sources (in my experience).
Even if you think you might have to worry about these use cases in the future, I would still recommend giving Shiro a try because of it's simplicity.
On Tue, Apr 17, 2012 at 8:27 PM, bobbywarner <[hidden email]> wrote:
I put together a screencast that covers getting started with the
I differ with your statement "Shiro is great for simple use cases, but the simplicity breaks down when you start talking about ACLs, advanced administration of users, or integrating with other auth sources (in my experience)". Please read below or check this disscusion http://grails.1312388.n4.nabble.com/Security-plugins-td4275329.html
Shiro is most definitely used in very large enterprise installations. In fact, Shiro is likely to be _better_ suited for many Enterprise environments for a few reasons:
- Shiro was built from the ground up to work in _any_ JVM environment - with or without Spring (although it excels in Spring apps because most of the Shiro devs use Spring and/or Grails). In real enterprise environments, the deployment technology changes enough - JEE, Spring, various MVC frameworks, ESBs, maybe some newer stuff like Groovy or Scala with Akka. Shiro was built to work in _any_ of these environments, even if Spring wasn't being used. Because of this heterogeneous nature, Shiro can be used anywhere in the enterprise where the JVM is used - not just where Spring might exist. This has lasting/eduring appeal for enterprises.
- Because of Shiro's native enterprise session support, which can enable large scale session clustering independent of any servlet container, larger enterprise apps that need native/distributed session clustering get this in a very easy manner. (Deploy to Jetting in testing, Tomcat or JBoss in production - all without having to change your session clustering setup). Spring does not address this feature at all IIUC.
- Shiro claims a wider breadth of features in that it does not stop at authentication and authorization - it also simplifies cryptography/data protection in addition to enterprise session management. Spring Security does not address this either that I'm aware of.
Because of its wider scope, Shiro is often a better choice for an enterprise because of the quantity of use cases it supports. Spring Security may reach deeper in some areas, but that gap is being eliminated quite quickly.
Finally, to lend credence to its 'enterpriseyness', Shiro is used in quite a few U.S. government and military projects, Wall Street investment banks, major U.S. airlines, ecommerce sites, travel booking sites, and at least one of the major social networks and many many more small to mid-size projects. To be sure, all of these need very high levels of security, and a solution that scales extremely well, and Shiro fits the bill wonderfully.
At the end of the day, both frameworks are suitable and you'll find great support in either community with commercial support options for both should you need it. So I'd say choose based on your mental model: which of the two APIs makes more sense to you? Which of the two addresses your specific needs best?
Apache Shiro PMC Chair
CTO, Katasoft | http://www.katasoft.com
In reply to this post by joelgerard
On 18 Apr 2012, at 01:03, Joel Gerard wrote:
> I've been looking for a Grails lib that will provide login functionality for a website. Seems to be a few tuts out there that are building things from scratch, which doesn't appeal. These two libs seem promising:
> • http://grails.org/plugin/spring-security-core
> • http://grails.org/plugin/authentication
> I'm inclined towards using the spring libs, but figure there must be a reason Marc Palmer wrote the second. Any thoughts on the above?
I wrote Authentication because I wanted something much simpler than Spring and dependency-free.
If that is what you need, it may work for you. It is pretty old now but it should still work fine. We have it in use still at noticelocal.com
There's also Shiro.
The decision has to be made on what kind of authentication and authorisation you need. If you will need more complex stuff like multiple auth providers, OAuth etc then you will need to look at a heavyweight option.
~ ~ ~
I offer commercial support for Grails plugins from as low as $50/mo.
For details see: http://grailsrocks.com
Blog: http://www.anyware.co.uk | Resumé: http://www.anyware.co.uk/marc
Contributor @ http://grails.org | Founder @ http://noticelocal.com
Developer @ http://weceem.org | Member @ http://spottymushroom.com
To unsubscribe from this list, please visit:
That's great feedback. Thanks everybody.
On Wed, Apr 18, 2012 at 2:44 AM, Marc Palmer <[hidden email]> wrote:
|Powered by Nabble||Edit this page|