shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Shiro comparision with Tomcat realms
Date Fri, 09 Nov 2012 17:56:26 GMT
Hi Nag,

Tomcat Realms and Shiro Realms are similar at a high level, but the differ
enough in their implementations that they are not interchangeable.

Shiro was designed from the ground up to be a security framework that works
in any application environment.  Tomcat is a servlet container.  The two
projects have very different core goals, and this is why you see two
different implementations of a similar concept.

Also, Apache projects are managed independently of one another - there is
no guarantee or mandate that requires one project to use another.  Of
course, projects often help each other out with code contributions and
ideas, but this is done as friendly discourse - not something that is

Of course (although we are biased), our recommendation is to use Apache
Shiro for your security needs because it is portable - if you use Tomcat
one day and then decide to use Jetty or Glassfish or anything else another
day, Shiro will still work.  Tomcat Realm concepts are specific to Tomcat
and only Tomcat.


Les Hazlewood | @lhazlewood
CTO, Stormpath | | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award!

On Sat, Nov 3, 2012 at 10:54 PM, chirnag <>wrote:

> My web apps run on Tomcat.
> Now I want to add security features to those.
> I am looking for
> - Authentication
> - Single sign on
> - Authorization
> I am exploring Shiro Vs Tomcat security.
> It looks like Shiro and Tomcat works on similar lines - realms,
> authorization etc.
> Is there any significant difference between the features offered by these
> two solutions? I am further puzzled because both are from Apache.
> Thanks,
> Nag
> --
> View this message in context:
> Sent from the Shiro Developer mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message