我也同意 Spring Security 感觉太复杂(对我来说)。当然,他们已经做了一些事情来降低复杂性,比如创建自定义 XML 命名空间来减少 XML 配置的数量,但对我来说,这些并没有解决我个人与 Spring Security 相关的基本问题:它的名称和一般来说,概念对我来说常常令人困惑。仅仅“得到它”是很难的。
归根结底,我认为选择这两者中的任何一个更多的是关于你的心理模型——这两者中哪一个对你来说更有意义、更直观?对于某些人来说,它会是 Shiro,对于其他人来说,它会是 Spring Security。 Shiro 在 Spring 环境中工作得很好,所以我想说根据您更喜欢这两个环境中的哪一个来选择,并且对您来说最有意义。
I too agree that Spring Security feels too complicated (to me). Sure, they have done things to reduce complexity, like creating custom XML namespaces to reduce the quantity of XML configuration, but for me, these don't address my personal fundamental issue with Spring Security: its names and concepts are often confusing in general to me. It's hard to just 'get it'.
The second you start using Shiro though, you just 'get it'. What was hard to understand in the security world is just that much easier to understand. Things that are unbearably difficult to use in the JDK (e.g. Ciphers) are simplified to a level that is not just bearable, but often a joy to use.
For example, how do you hash+salt a password and base64 encode it in Java or Spring Security? Neither are as simple and intuitive as Shiro's solution:
ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
new Sha512Hash(password, salt).toBase64();
No need for commons-codec or anything else. Just the Shiro jar.
Now with regards to Spring environments, most of the Shiro developers use Spring as their primary application environment. That means Shiro's Spring integration is superb and it all works exceptionally well. You can rest assured that if you're writing a Spring app, you'll have a well-rounded security experience.
For example, consider the Spring XML config example in another post in this thread. Here's how you'd do (essentially) the same thing in Shiro:
Although slightly more verbose than the other Spring example, it is easier to read IMO.
You'll also find using Shiro's filter chain definitions are probably the easiest way to define general filter chains and web-based security rules ever! Much nicer than defining them in web.xml.
Finally, Shiro offers extreme 'pluggability' as well. You'll see that you can configure and/or replace just about anything because of Shiro's POJO/injection-friendly architecture. Shiro defaults almost everything to sane defaults and you can override or configure only what you need.
At the end of the day, I think choosing either of these two is more about your mental model - which of the two make more sense and is more intuitive for you? For some it will be Shiro, for others it will be Spring Security. Shiro works great in Spring environments, so I would say choose based on which of the two you enjoy more and makes the most sense to you.
Spring Security 3.x 的优点在于它的可配置性极高,这导致了主要缺点之一:太复杂而难以理解。该文档也不容易阅读,因为我只部分熟悉 Spring Security 使用的一些术语。但是,如果您需要创建自定义配置或控制您希望安全性的粒度,则可以使用这些选项。否则,你可以坚持上面的< 30行执行基于角色的安全检查。
我真正喜欢 Spring Security 的一点是,一旦设置完毕,安全性就会无缝集成到项目中。就好像实际的项目代码不知道安全性的存在......这很好,因为它允许我将来轻松地分离或升级安全组件(例如:将数据库身份验证更改为 LDAP/CAS授权)。
I don't have experience using Shiro, and I "partly" agree with what you said about Spring Security. Prior to Spring Security 3.x, Spring Security (or Acegi) was very painful to set up. A simple role-based configuration will take at least 140 lines of cryptic XML configuration... I know this because I actually counted the lines myself. It was something where you set up one time, and you pray that it will work forever without you touching the configuration again, because you can assure you have forgotten what all the configuration means. :)
With Spring Security 3.x, it has tremendously improved upon. It introduces security namespace that drastically shorten the configuration from 140 lines to ~30 lines. Here's an example of Spring Security 3.x of one of my projects:-
The beauty of Spring Security 3.x is it is extremely configurable, which contributes to one of the main cons: too complicated to understand. The documentation isn't easy to read either because I'm only partially familiar with the some of the terms Spring Security used. However, the options are there if you need to create your custom configuration or control how granular you want your security to be. Or else, you can stick with the above < 30 lines to perform a role-based security check.
What I really like about Spring Security is once it is set up the security is integrated into the project seamlessly. It is as if the actual project code doesn't know the existence of the security... and that is good, because it allows me to easily detach or upgrade the security component in the future (ex: change database auth to LDAP/CAS auth).
我已经使用 Spring Security(版本 3.1)几个月了,并且对它非常满意。它真的很强大,并且有一些非常好的功能,特别是像我之前那样手动实现所有内容之后!就像我在某处读到的那样,您在应用程序开发开始时设置了一次,然后祈祷它能够继续工作直到最后,因为如果您必须去修复它,您就会可能已经忘记了您必须参数化的大部分内容。
但随后出现了一个新项目,其安全要求更加复杂。简而言之,我们必须在几个相关的 Web 应用程序之间实现某种自定义 SSO。
我确切地知道我想要在 HTTP 逻辑、cookie、会话 ID 等方面实现什么,以及应该以什么顺序发生什么,但我花了一天的大部分时间与 Spring Security API 作斗争,但仍然无法弄清楚准确地指出我应该实现或重写哪些类或接口,以及如何将它们插入上下文中。整个 API 感觉非常复杂,有时有点深奥。虽然该文档非常适合一般用例甚至一些定制,但它的深度不足以满足我的需求。
我很高兴我做到了,因为经过一天的工作,我成功地了解了足够的 API 知识,不仅可以毫无困难地在我的 Spring Web 应用程序中设置基本的身份验证和授权系统,而且还可以实现我想要的自定义 SSO 行为。寻找。我只需要扩展 2 或 3 个类,整个过程在我的 spring 上下文中只需要大约 25 行 XML 配置。
I had been using Spring Security (version 3.1) for a few months and was quite happy with it. It is really powerful and has some very nice feature, especially after implementing everything by hand as I did before ! It was though, like I read somewhere, sort of something that you set up once near the beginning of the develoepment of the app, and then pray for it to keep working till the end, because if you have to go fix it you'll probably have forgotten most of the stuff you had to parameter.
But then a new project came along, with more complex security requirements. In short, we had to implement some sort of custom SSO between a couple of related webapps.
I knew exactly what I wanted to achieve in terms of HTTP logic, cookies, session id's and stuff, and what should happen in what order, but I spent the better part of a day struggling with the Spring Security APIs, and still could not figure out exactly what class or interface I shoud implement or override, and how to plug them in the context. The whole API felt really complex and a bit esoteric at times. And while the doc is quite good for the general use cases and even some customization, it did not go deep enough to cover my needs.
After reading the answers here and on some other places on the web, I got the impression that Shiro would be easier to understand and customize to my needs. So I gave it a try.
And I am glad I did, because after a day working on it I managed to learn enough about the APIs not only to set up a basic authentication and authorization system in my Spring webapp without trouble, but also to implement the custom SSO behaviour I was looking for. I only had to extend 2 or 3 classes, and the whole thing took only about 25 lines of XML config in my spring context.
So as a conclusion, on the ease of use and learning curve aspects, Shiro is really quite likeable, and I think I will probably go with it in the future, unless I encounter some features lacking or some other problem (which I haven't so far).
TL;DR: Both are powerful, but Shiro is much easier to learn.
发布评论
评论(3)
我也同意 Spring Security 感觉太复杂(对我来说)。当然,他们已经做了一些事情来降低复杂性,比如创建自定义 XML 命名空间来减少 XML 配置的数量,但对我来说,这些并没有解决我个人与 Spring Security 相关的基本问题:它的名称和一般来说,概念对我来说常常令人困惑。仅仅“得到它”是很难的。
不过,当你开始使用 Shiro 的那一刻,你就“明白了”。在安全领域中难以理解的事情变得更容易理解。 JDK 中难以使用的东西(例如密码)被简化到不仅可以忍受,而且通常使用起来很有趣的程度。
例如,如何在 Java 或 Spring Security 中对密码进行 hash+salt 加密并进行 base64 编码?两者都不像 Shiro 的解决方案那么简单直观:
不需要 commons-codec 或其他任何东西。只是四郎罐子。
现在就Spring环境而言,大多数Shiro开发人员都使用Spring作为他们的主要应用环境。这意味着 Shiro 的 Spring 集成非常出色,并且运行得非常好。您可以放心,如果您正在编写 Spring 应用程序,您将获得全面的安全体验。
例如,请考虑本线程另一篇文章中的 Spring XML 配置示例。下面是你在 Shiro 中(本质上)做同样事情的方法:
虽然比其他 Spring 示例稍微冗长,但在我看来更容易阅读。
您还会发现使用 Shiro 的过滤器链定义可能是定义通用过滤器链和基于 Web 的安全规则的最简单方法!比在 web.xml 中定义它们要好得多。
最后,Shiro 还提供了极高的“可插拔性”。您会发现,由于 Shiro 的 POJO/注入友好架构,您可以配置和/或替换几乎任何内容。 Shiro 将几乎所有内容默认为合理的默认值,您可以仅覆盖或配置您需要的内容。
归根结底,我认为选择这两者中的任何一个更多的是关于你的心理模型——这两者中哪一个对你来说更有意义、更直观?对于某些人来说,它会是 Shiro,对于其他人来说,它会是 Spring Security。 Shiro 在 Spring 环境中工作得很好,所以我想说根据您更喜欢这两个环境中的哪一个来选择,并且对您来说最有意义。
有关 Shiro 的 Spring 集成的更多信息:http://shiro.apache.org/spring.html
I too agree that Spring Security feels too complicated (to me). Sure, they have done things to reduce complexity, like creating custom XML namespaces to reduce the quantity of XML configuration, but for me, these don't address my personal fundamental issue with Spring Security: its names and concepts are often confusing in general to me. It's hard to just 'get it'.
The second you start using Shiro though, you just 'get it'. What was hard to understand in the security world is just that much easier to understand. Things that are unbearably difficult to use in the JDK (e.g. Ciphers) are simplified to a level that is not just bearable, but often a joy to use.
For example, how do you hash+salt a password and base64 encode it in Java or Spring Security? Neither are as simple and intuitive as Shiro's solution:
No need for commons-codec or anything else. Just the Shiro jar.
Now with regards to Spring environments, most of the Shiro developers use Spring as their primary application environment. That means Shiro's Spring integration is superb and it all works exceptionally well. You can rest assured that if you're writing a Spring app, you'll have a well-rounded security experience.
For example, consider the Spring XML config example in another post in this thread. Here's how you'd do (essentially) the same thing in Shiro:
Although slightly more verbose than the other Spring example, it is easier to read IMO.
You'll also find using Shiro's filter chain definitions are probably the easiest way to define general filter chains and web-based security rules ever! Much nicer than defining them in web.xml.
Finally, Shiro offers extreme 'pluggability' as well. You'll see that you can configure and/or replace just about anything because of Shiro's POJO/injection-friendly architecture. Shiro defaults almost everything to sane defaults and you can override or configure only what you need.
At the end of the day, I think choosing either of these two is more about your mental model - which of the two make more sense and is more intuitive for you? For some it will be Shiro, for others it will be Spring Security. Shiro works great in Spring environments, so I would say choose based on which of the two you enjoy more and makes the most sense to you.
For more on Shiro's Spring integration: http://shiro.apache.org/spring.html
我没有使用 Shiro 的经验,并且我“部分”同意你所说的 Spring Security。在 Spring Security 3.x 之前,Spring Security(或 Acegi)的设置非常痛苦。一个简单的基于角色的配置将需要至少 140 行神秘的 XML 配置...我知道这一点是因为我自己实际数过这些行。这是你设置了一次的东西,你祈祷它会永远工作,而无需你再次接触配置,因为你可以保证你已经忘记了所有配置的含义。 :)
在 Spring Security 3.x 中,它有了巨大的改进。它引入了 security 命名空间,将配置从 140 行大大缩短到约 30 行。这是我的一个项目的 Spring Security 3.x 的示例:-
Spring Security 3.x 的优点在于它的可配置性极高,这导致了主要缺点之一:太复杂而难以理解。该文档也不容易阅读,因为我只部分熟悉 Spring Security 使用的一些术语。但是,如果您需要创建自定义配置或控制您希望安全性的粒度,则可以使用这些选项。否则,你可以坚持上面的< 30行执行基于角色的安全检查。
我真正喜欢 Spring Security 的一点是,一旦设置完毕,安全性就会无缝集成到项目中。就好像实际的项目代码不知道安全性的存在......这很好,因为它允许我将来轻松地分离或升级安全组件(例如:将数据库身份验证更改为 LDAP/CAS授权)。
I don't have experience using Shiro, and I "partly" agree with what you said about Spring Security. Prior to Spring Security 3.x, Spring Security (or Acegi) was very painful to set up. A simple role-based configuration will take at least 140 lines of cryptic XML configuration... I know this because I actually counted the lines myself. It was something where you set up one time, and you pray that it will work forever without you touching the configuration again, because you can assure you have forgotten what all the configuration means. :)
With Spring Security 3.x, it has tremendously improved upon. It introduces
securitynamespace that drastically shorten the configuration from 140 lines to ~30 lines. Here's an example of Spring Security 3.x of one of my projects:-The beauty of Spring Security 3.x is it is extremely configurable, which contributes to one of the main cons: too complicated to understand. The documentation isn't easy to read either because I'm only partially familiar with the some of the terms Spring Security used. However, the options are there if you need to create your custom configuration or control how granular you want your security to be. Or else, you can stick with the above < 30 lines to perform a role-based security check.
What I really like about Spring Security is once it is set up the security is integrated into the project seamlessly. It is as if the actual project code doesn't know the existence of the security... and that is good, because it allows me to easily detach or upgrade the security component in the future (ex: change database auth to LDAP/CAS auth).
我已经使用 Spring Security(版本 3.1)几个月了,并且对它非常满意。它真的很强大,并且有一些非常好的功能,特别是像我之前那样手动实现所有内容之后!就像我在某处读到的那样,您在应用程序开发开始时设置了一次,然后祈祷它能够继续工作直到最后,因为如果您必须去修复它,您就会可能已经忘记了您必须参数化的大部分内容。
但随后出现了一个新项目,其安全要求更加复杂。简而言之,我们必须在几个相关的 Web 应用程序之间实现某种自定义 SSO。
我确切地知道我想要在 HTTP 逻辑、cookie、会话 ID 等方面实现什么,以及应该以什么顺序发生什么,但我花了一天的大部分时间与 Spring Security API 作斗争,但仍然无法弄清楚准确地指出我应该实现或重写哪些类或接口,以及如何将它们插入上下文中。整个 API 感觉非常复杂,有时有点深奥。虽然该文档非常适合一般用例甚至一些定制,但它的深度不足以满足我的需求。
在阅读了这里和网络上其他地方的答案后,我的印象是 Shiro 会更容易理解并根据我的需求进行定制。所以我尝试了一下。
我很高兴我做到了,因为经过一天的工作,我成功地了解了足够的 API 知识,不仅可以毫无困难地在我的 Spring Web 应用程序中设置基本的身份验证和授权系统,而且还可以实现我想要的自定义 SSO 行为。寻找。我只需要扩展 2 或 3 个类,整个过程在我的 spring 上下文中只需要大约 25 行 XML 配置。
所以作为一个结论,在易用性和学习曲线方面,Shiro 确实很讨人喜欢,我想我将来可能会使用它,除非我遇到一些功能缺失或其他问题(我没有遇到过)迄今为止)。
TL;DR:两者都很强大,但 Shiro 更容易学习。
I had been using Spring Security (version 3.1) for a few months and was quite happy with it. It is really powerful and has some very nice feature, especially after implementing everything by hand as I did before ! It was though, like I read somewhere, sort of something that you set up once near the beginning of the develoepment of the app, and then pray for it to keep working till the end, because if you have to go fix it you'll probably have forgotten most of the stuff you had to parameter.
But then a new project came along, with more complex security requirements. In short, we had to implement some sort of custom SSO between a couple of related webapps.
I knew exactly what I wanted to achieve in terms of HTTP logic, cookies, session id's and stuff, and what should happen in what order, but I spent the better part of a day struggling with the Spring Security APIs, and still could not figure out exactly what class or interface I shoud implement or override, and how to plug them in the context. The whole API felt really complex and a bit esoteric at times. And while the doc is quite good for the general use cases and even some customization, it did not go deep enough to cover my needs.
After reading the answers here and on some other places on the web, I got the impression that Shiro would be easier to understand and customize to my needs. So I gave it a try.
And I am glad I did, because after a day working on it I managed to learn enough about the APIs not only to set up a basic authentication and authorization system in my Spring webapp without trouble, but also to implement the custom SSO behaviour I was looking for. I only had to extend 2 or 3 classes, and the whole thing took only about 25 lines of XML config in my spring context.
So as a conclusion, on the ease of use and learning curve aspects, Shiro is really quite likeable, and I think I will probably go with it in the future, unless I encounter some features lacking or some other problem (which I haven't so far).
TL;DR: Both are powerful, but Shiro is much easier to learn.