Skip to main content


Showing posts from March, 2015

Web Application Security

About a 10 to 20 minute read
    I was looking for a Java Security Framework to use for my web applications. Obviously, there's JAAS but that provides security on the JVM and class level (something not usually needed for a web application) and therefore overly complex for most use cases. That's when I stumbled on Apache Shiro which is an open source project that provides security similar to JAAS, yet, with a simpler API. Unfortunately, after some experimenting with the framework, I came to the conclusion that it's not well suited for web applications. Despite it's claim for simplicity and security, there are a few issues with Apache Shiro:

No CDI injection support. Programming a web applications server-side code in Java EE, you have the benefit of a container managed environment. The container is responsibly for creation of beans, handling transactions, and closing resources. Since Apache Shiro is not just for web applications, it needs to work out of a container manag…