{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《Apache Shiro “with JSF 2.0” ! How does it go?》','https://www.manongdao.com/q-1340464.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am looking for frameworks/solution for authentication/ user-login management/ security in java web application that can make the naive developer's job easier/faster and make the application relatively more secured against potential threats.
As some people have suggested me to consider solutions like Spring Security & Apache Shiro, I wanted to know how does it go with JSF 2.0. Are there any downsides of using Shrino over Spring security for my case?
Any other better security solutions for JSF applications ?
Currently I'm using JSF 2.0(with Facelets) as the front-end development framework in my web application & it is backed by Cassandra, a NoSQL database.
Deluan Quintão has provided a good solution for Shiro and JSF that has been received well by the Shiro community:
http://techbeats.deluan.com/apache-shiro-tags-for-jsffacelets
Also note that Shiro can use Cassandra as a back-end to enable Servlet container-independent session clustering (You will need to write a CassandraSessionDAO and plug it in to Shiro's configuration). See http://shiro.apache.org/session-management.html for more.
If you can't use native form based authentication that is provided by your application server I would recommend you to use Apache Shiro, because it integrates well with the Java EE stack. Spring security is fine too, but if you plan to use JSF 2 you probably also use CDI (provided by Seam Weld, which is integrated into the Java EE 6 Profile from Glassfish and JBoss) it is easier to use Shiro, as Spring heavily relies on its own Dependency Injection methods, although Spring security does not need that much injected classes, but you should stick to one way of doing things.