Spring security vs Apache Shiro [duplicate]
What I have researched so far most people are saying Apache Shiro is easy to use and easy to integrate with CAS (for SSO etc). Just to ask if anyone has experience using both of them and which one to use and why one is better than other?
Solution 1:
Many of the Shiro developers use Spring for their applications, so Shiro works beautifully in Spring environments. The general feedback we've received thus far is that Shiro is also far easier to understand (for most people) than Spring Security.
If you want full Session clustering support across any web container however, only Shiro will support this easily. Shiro's crypto is also very simple/easy to use.
Choose which fits your mental model best - both will work great in Spring environments.
Solution 2:
I have recently had to evaluate both shiro and spring security. We went with spring security (in fact we extended spring security to use the shiro permission strings in a better way - with instance variables on annoations).
Spring Security
- under active development.
- has much more community support.
- Spring security has extensions providing support for both Oauth and kerberos and SAML.
Shiro
- Does not support saml or Oauth.
- Makes no mention of supporting before and after security policies.
- Active development seems limited, the website still contains erroneous information.