All - This discussion topic is actually from Kevin and we decided that it should be restarted on the public list.
Community insight is important for these sorts of discussions. The basic question being raised is should we be using Shiro more fundamentally as our SPI model for various security capabilities. The path I set us on initially was to use Shiro only for authentication. At the time I didn't want to deal with LDAP based authentication and wasn't thinking much beyond that. I tried both Shiro and Spring Security for this and liked Shiro better. Anyway, there are two basic camps: *"Shiro already **supports** that** so why reinvent the wheel"* It looks like Shiro has SPIs for most of the major security concerns: authentication, authorization, group/principal mapping, authentication optimization (e.g. session and encrypted cookies) *"With filters customers can bring their own filter and mix and match*" Customers seem to really like the story about being able to use their own filters. Lets say some customer has a SiteMinder filter that they want to use in Knox for authentication. If they plug that into Knox for ATN instead of Shiro, anything other functionality (e.g. ATZ) that Shiro would have provided will be lost. If Knox had an ATZ filter instead of using Shiro this wouldn't be the case. I'm looking forward to the discussion. --larry doAs(kevin)
