incubator-shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grzegorz Borkowski <>
Subject Problematic first steps with JSecurity
Date Fri, 10 Oct 2008 12:58:08 GMT

Hi all,
I'm evaluating Java security libraries at this moment. As a Spring user, I
started with Spring Security, and found it very powerful, but extremely
difficult to understand and follow. I am especially interested in
authorization capabilities which goes beyond standard JEE role-based
approach. I want to be able to declare access rules on per-object,
per-method, and per-user level. Spring Security allows it with its ACL
package, but it took me several days to figure out how to use it. 
Then I found JSecurity. First impression is very good: it seems much simpler
to use, configure and understand than Spring Security, and possibly
comparable with functionality, and it is not so much web-centric, which is
also advantage. So i wanted to port my test application to JSecurity, but I
got stuck almost at the beginning. 
Those are my problems - maybe you can help me with at least some of them:

1. On the project page, there is almost no decumentation. Only very simple
quick-start, and some slides. This is too little to start doing anything
real. In Spring Security there is user manual - not perfect, but it gives
good background to start. Here I have completely nothing.
2. Because of this, I tried to learn somehthing from sample applications
bundled with jsecurity distribution. I would expect to see Maven pom.xml
file in each sample, so that I can open it in Eclipse or NetBeans as
separate projects, analyse them, build and run (I believe especially
community projects should not be tied to any IDE - and Maven pom.xml file is
the perfect way to provide you with necessary metadata to open it in any
IDE). But there is no Maven config in sample appplications. I spent long
time to figure out how to open those projects, how to build them, etc.
3. After looking at quickstart, I looked at web sample.  The most
interesting section is JSecurity filter configuration in web.xml. I looked
at filter JavaDoc too, but still don't know how it works:
 - in section [filters] you have "jsecurity.loginUrl = /login.jsp" - what is
this "jsecurity.loginUrl"? where it comes from? In JSecurityFilter JavaDoc
there is no phrase "jsecurity.loginUrl". is the "jsecurity" the name of
filter? but still, there is no "loginUrl" property. The [filters] section in
javadoc does not mention such option.
- after building war and deploying it, the most suprising fact is that
authentication works. How can it be? There is nowhere the list of
users/passwords/specified! How the system knows the names of users, their
passwords and roles???
4. I really like the WildcardPermission concept: specifying permission with
"newsletter:edit:12,13,18" seems much simpler and powerful than Spring
Security solution. But this is only declaration - how do I really grant such
permissions? How do I bind the "12,13,18" ids to real objects? is there some
example anywhere? In Spring Security there is a JDBC-based implementation of
ACL, used to store ACLs for object. There is also
ObjectIdentityRetrievalStrategy interface for defining binding between class
instances IDs and ACL IDs. How it is done in JSecurity?

My current impression is that JSecurty is a nice and promising project, but
complete lack of any documentation gives the impression that it is not used
in any real-world solutions. But I know that it is not true - at least, I
know Nexus project is based on JSecurity. So I think that if you really want
to make JSecurity popular, you should work on some UserGuide, with better
instroduction for new users. Perhaps I can help you a bit with JSecurity if
I find it useful and primising enough. But it is hard to evaluate a tool
when I'm stuck at the very beginning. Can you help me with it?

View this message in context:
Sent from the JSecurity Developer mailing list archive at

View raw message