I know next-to-nothing about Java's security model, including XML configuration, policy-setting, any security framework components, tools (such as keystore, etc.) and everything in between.

Although I understand it will eventually become essential for me to roll up my sleeves and learn Java security in-depth, I was wondering if using something like Apache Shiro would help ease the transition a bit. As such, I have a few concerns with it.

Is Shiro, essentially, a "turnkey, catchall wrapper" for implementing security in Java applications (and more particularly, web apps). Meaning, can one configure Shiro with their project and essentially tune it do all the same configuration, policy settings, etc. that one would have to do "manually" (piecemeal) without it? If not, what shortcomings does Shiro have (what are some big things Shiro can't do for me that are vital)? Are there any large vulnerabilities that Shiro doesn't address at all?

Along the same lines, I've heard good things about OWASP's ESAPI framework. Aybody have experience with both? Can ESAPI and Shiro be configured to work together or is it simply a binary "one or the other" type deal?

Thanks in advance!

The short answer is yes. Both Shiro and ESAPI can work together, although there is a lt of redundant functionality between the two APIs. Shiro gives you everything you need for covering the standard Java security model. ESAPI goes above and beyond by providing OWASP's globally-standardized security mechanisms.

Shiro should be used by novices like myself who really don't understand Java security and/or general applications/server security. It takes care of a lot of things for the security-ignorant. ESAPI should be used by programming security professionals that already understand Java security and want to leverage not only everything that comes with Java EE but need to go the extra mile and make things even more secure.