开发者

What are the alternatives for Java authentication?

Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (@RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based).

Apache Shiro se开发者_JS百科ems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.


Turns out Apache Shiro is actually a simpler and easier to learn solution than Spring security. And no stupid xml configuration is nice.


Spring Security is by far the best tool out there.

BlazeDS is no magic. It is ultimately just a call to the server over HTTP. The Blaze application is just a war file, and has traditional urls. So, to protect the services, you have to protect the urls in your web.xml / spring configuration files.

Essentially, read the documentation of Spring Security/JAAS, and substitute the jsps with the urls of your blaze services.

Spring Security also has support for Roles and authorization. It also has a remember-me functionality, but that absolutely uses cookies. You cannot have a remember-me functionality without cookies.

Regarding authentication, it is possible to pass the authentication token as a request parameter instead of a cookie. But cookies are recommended, and are a lot easier to get right.

And finally, security is pointless without using https. You absolutely must use https throughout your application if you care about security.


I don't see why Flex should authenticate anything, after all that is the client side. Whats stopping someone from decompiling your flash/flex?

For most people Apache Shiro is overkill and they just roll their own. Which isn't the best idea to be honest. I have seen a lot of horrible authentication systems over the years. Cookies are meant to keep track of the session for the client, why use anything else?

Edit: Use spring secuirty for authentication.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜