This is a high level comparison of Spring Security and Apache Shiro, two Security frameworks that have plugins available in Grails.
Spring Security (a.k.a. ACEGI)
- has users with roles
- to restrict users on a more fine grained level, use interceptors in your controller
- LDAP support
- integration with CAS single-sign-on
- has a new ACL option for the Grails Plugin
- somewhat ‘heavy-handed’
Example (Using Grails Interceptor):
def beforeInterceptor = [action:checkViewableSites, except: “list”]
def checkViewableSites = {
if(!user.viewableSites.contains(Site.get(params.id) )) {
response.sendError 403
return false
}
}
Apache Shiro (a.k.a. JSecurity)
- has support for permissions out of the box
- LDAP support with Shiro plugin
- easy to customize
- Grails Nimble plugin that allows permissions on three levels: users, groups, and roles
- Nimble plugin has an easy to use UI component for adding/modifying users and permissions
- Nimble plugin has support for authentication through Facebook and OpenID out of the box
Example (Using Shiro Permissions):
- profile:edit:1 – this means a person can edit only the Profile object with id 1
- profile:*:* – this means that a person can do anything to any Profile object