I'm trying to implement a modular authentication/authorization app. I was wondering if Shiro is the correct choice. What I want to get is to have a system to which I can plug in and maybe in later time exchange some authentication endpoints and also authorization endpoints. I want to be able to use shiro for authentication (for example I would implement facebook plugin for shiro, or ldap plugin for shiro and I can easly plug it into my authentication/authorization app). I also may want to have authorization implemented using different framework than shiro.
I was wondering if shiro with it's custom session and it's subjects and realms is capable of doing such things as I described ? Currently I see Shiro as very dynamic framework, which allows to do such things, but I might be wrong because I never use earlier. Custom authentication modules (imo) might be plugged in as new realms, but I'm not sure if this will work with authorization?
I also don't understand how shiro roles and permission system may be used when I want to setup restrictions to web application, for example I want to give restrictions to the given url / group of urls. I think that the only way to implement that is to create a custom mapper which will map given role to permissions. For example in some database I will have all urls, and in separate table I will have list of roles. Then I will add to every role a group of URLs. I don't see how could I use shiro permission system to implement URL restrictions.
Please tell me if shiro is a good choice, or maybe I should go into other framework (spring security maybe?)
