+1 to keeping WIAB lightweight. WIAB is intended as a reference implementation after all.
Also keep in mind that many Java Web frameworks only provide the illusion of security, and are vulnerable to a large number of ingenius attack vectors due to their high level of complexity. It only takes a very small hole to allow remote code execution. I've seen some pretty novel tricks against many of them (including Spring). I'm not familiar with Shiro though. I'm not suggesting that WIAB's security is bulletproof; I'm only pointing out that alternative security frameworks are not, so the often significant increase in complexity and inertia they would bring must be considered against that. -Dave On Wed, Jun 8, 2011 at 2:38 AM, Thomas Broyer <[email protected]> wrote: > On Tue, Jun 7, 2011 at 1:53 PM, Nelson Silva <[email protected]> > wrote: > > I need a SSO solution to integrate a Tomcat/JBoss app with WIAB (which > > currently relies on Jetty mainly because of WebSocket support). > > > > I've seen people asking for LDAP support and perhaps, instead of focusing > on > > a single authentication/authorization solution it would be best to just > > integrate something like Apache Shiro or Spring Security. > > > > I would really like to go with Apache Shiro, being an Apache project and > > all, but I feel that Spring Security is more mature. > > > > Any ideas/opinions on this subject ? > > I'm a strong believer that authentication is an orthogonal concern, > and should be handled at the servlet-container level (with things like > JASPI when available, or Tomcat valves and Jetty's own authenticators > otherwise), so I'd rather oppose to a move to either Shiro or Spring > Security (and Spring Security at least, like most "Spring" things, is > really heavyweight!). >
