Best practice for authentication and authorization for spring based java application

Question

In our organization we are developing an ldap based Authentication, and Authorization with Single Sign On on feature. Upon developing this generic module, there will be tens of other modules which will be dependent on it. The tool sets are -

Spring
Hibernate
Tomcat 7
openAm/openSSO
openldap
postgresql

We will have simple authentication mechanism but very complex authorization scheme. We are not sure what will be the right approach for authorization. Should we put the authentication as well as authorization logic in LDAP or should we use it for authentication only? In that case we will have to mess around with the OpenAM/OpenSSO. Is there any other approach? like spring security, CAS, JOSSO, .. ? Whatever the approach, it has to be very scalable and maintainable. Any suggestion or help would be greatly appreciated.

Thanks, Nazrul

Steinway Wu Steinway Wu · Accepted Answer · 2011-07-12T10:48:58

You may have a look at Apache Shiro: http://shiro.apache.org/. It is a easy-to-use security framework that supports most of the existing security technologies including LDAP and Single Sign On.

Also, through subtyping AuthenticatingRealm and AuthorizingRealm (from the Shiro API), you can implement your authenticating and authorizing strategies no matter how complex they are.

Most commonly, you will implement your own:

AuthenticatingRealm
AuthorizingRealm
AuthenticationToken
AuthrozationToken
PremissionResolver

and so on...

Best practice for authentication and authorization for spring based java application

3 Answers