Spring Security vs. Apache Shiro

This is a high level comparison of Spring Security and Apache Shiro, two Security frameworks that have plugins available in Grails.

Spring Security (a.k.a. ACEGI)
  • has users with roles
  • to restrict users on a more fine grained level, use interceptors in your controller
  • LDAP support
  • integration with CAS single-sign-on
  • has a new ACL option for the Grails Plugin
  • somewhat 'heavy-handed'
Example (Using Grails Interceptor):
def beforeInterceptor = [action:checkViewableSites, except: "list"]

def checkViewableSites = {
if(!user.viewableSites.contains(Site.get(params.id) )) {
response.sendError 403
return false

Apache Shiro (a.k.a. JSecurity)
  • has support for permissions out of the box
  • LDAP support with Shiro plugin
  • easy to customize
  • Grails Nimble plugin that allows permissions on three levels: users, groups, and roles
  • Nimble plugin has an easy to use UI component for adding/modifying users and permissions
  • Nimble plugin has support for authentication through Facebook and OpenID out of the box
Example (Using Shiro Permissions):
  • profile:edit:1 - this means a person can edit only the Profile object with id 1
  • profile:*:* - this means that a person can do anything to any Profile object