I'm learning about Apache Shiro, so I decided to see how hard it would be to replace Spring Security in Roller with Shiro. It was a little painful, but I eventually got it working. Shiro seems a lot easier to deal with, and it allowed me to complete remove all Spring dependencies from my fork of Roller.
You can see my DIFFs here: https://github.com/snoopdave/rollarcus/compare/shiro_not_spring?expand=1 And the shiro.ini config file is here: https://github.com/snoopdave/rollarcus/blob/shiro_not_spring/app/src/main/resources/shiro.ini Most of the changes are removal of Spring specific code. However, my branch does not support LDAP or OpenID yet, so I would expect that some Shiro specific code would have to be added to enable those things. I'm not convinced that Roller should switched to Shiro, but this is some food for thought... - Dave