Grails security

JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren't happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.

So which one to use?

Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it's still lacking in widespread adoption.

Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn't live without Spring Security's Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.

Thirdly, be sure of the actual security! Spring Security can be guaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.

To end this, if I had to choose for you, I would pick Spring Security because it's widely used, it's guaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn't bad at all and I've used it for a while, but at the moment it's in some sort of limbo state for who knows what reason and for a security framework that's just unacceptable.

Edit: It's been over 1½ years since I answered this, so I felt the need to come back and say that our company recently decided to go with Spring Security due to its high pluggability and its proven functionality. This of course makes me a bit biased but in any case, I'd say that Spring Security is the way to go.


Esko's answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity's model is very simple, yet very powerful.

What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.

If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.