• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Question for Eugen:On Spring Security Vs Shiro

 
Ranch Hand
Posts: 238
1
Python Ruby Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Eugen,

In One of our application, We have security built with typical homegrown mechanism with LDAP ,We thought it is time that migrate to a more matured frameworks, currently we are exploring other Java based security frameworks, Spring definitely on the list,But for me it seemed that SpringSecurity would be the right Choice, but Spring Security seems to suffer from excessive complexity, it certainly does not seem like it is making security easier to implement.

On the other hand, one our Architect came out with a different suggestion altogether ,He says Shiro seems to be much more coherent and easier to understand.
What would be your advice?

Thanks
Sundar

 
Rest with Spring Software Support
Posts: 35
5
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey Sundar,
First - let me link you to a question I answered yesterday, for a few notes on Spring Security vs other frameworks .
Now - let's look at complexity.
The way I look at complexity is - always in the scope of what I'm trying to do.
Let me unpack that. Complexity that hinders you getting your scenario implemented is bad. Complexity that gets out of the way and is only there if you need it - that's not necessarily bad.
So, if the design of the framework is done intelligently - then you should be able to implement simple scenarios without a lot of complexity, and only go into more complex, low level things if you have very custom, non-standard needs.
And in the case of Spring Security, that's mostly the case.
Hope that helps.
Cheers,
Eugen.
 
meenakshi sundar
Ranch Hand
Posts: 238
1
Python Ruby Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Agreed Eugen.

Complexity comes with the cost of readability and maintenance ,Are there any best practices you are discussing in your lessons
like the cost of over simplification or over complication in implementing security ?more particular using Spring.



 
Eugen Paraschiv
Rest with Spring Software Support
Posts: 35
5
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The material is structured - broadly speaking - from simple to complex.
The best practice that I'd say applies here is - always keep things as simple as you can, while not compromising on the security of your system.
So - yes, I always keep simplicity in mind when I'm creating these lessons - that's why, if you have a look at the Master Class, you'll find the most complex scenarios there.
Hope that helps. Cheers,
Eugen.
 
meenakshi sundar
Ranch Hand
Posts: 238
1
Python Ruby Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Eugen,

In your experience ,have you seen or come across scenarios inefficient way of implementing security using Java eco systems Tools/Techniques
If yes what are they and what would be the no-brainier checklist to go about tackling that?



 
Eugen Paraschiv
Rest with Spring Software Support
Posts: 35
5
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a very interesting question.
I did have several client engagements where the Spring Security config was sub-par.
The most common ones are simply older implementations that did the best they could do at the time, but didn't take advantage of the many new simplifications and improvements in the framework.
Things like manual LDAP integrations, manual protections against various types of attacks that are now supported out of the box, lots of custom filters, verbose XML configs - and many others.
It's hard to really put a clear list together - just because there's a lot of variety in these sub-optimal scenarios.
My suggestion for approaching the framework in a good way is simply digging deeper into how things work, debugging through scenarios, and plain experience.
Hope that helps. Cheers,
Eugen.
 
meenakshi sundar
Ranch Hand
Posts: 238
1
Python Ruby Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, I have seen that happening a lot in my organizations earlier.
When it comes to management decision making there are two important things that always pop up, the ROI (Return on Investment) and TCO (Total cost of ownership)
Things have changed lot now ...especially with the ever increasing security threats .
In Border sense , not particular to Spring security, What is your take on that?I am sure Security is deemed important aspect
Are there any correlations between implementing security Vs Cost benefit?
 
Eugen Paraschiv
Rest with Spring Software Support
Posts: 35
5
Eclipse IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's my experience as well - these kinds of security concerns usually need to start top down. And the huge volume of compromised systems in the last few years has definitely made it clear that security is a major priority.
Now, it's hard to put a number on the value of a solid security implementation vs the risk of not having it. The risk of a compromised system is basically going out of business (like so many of these compromised companies do) - so the priority of getting to this solid security implementation is usually quite high.

Cheers,
Eugen.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic