I want to use SpringSecurity4 in a CDI/EJB environment. Is this possible? Can SpringSecurity can be used without using Spring?
What I want to do, is to use SpringSecurity with my EJB and CDI components.
Asked
Active
Viewed 953 times
2 Answers
4
Spring Security is basically a filter machine, filtering all the incoming requests. However, plenty of it's functionality is Spring-core dependent. It is possible to utilize Spring in a CDI application, but Spring's core is heavyweight and it's functionality is funny compared to CDI. That would be a downgrade and there would be no point in using CDI.
What you can do is to have a look at some Security projects for JEE world.
- Apache DeltaSpike and it's Security module.
- Keycloak - The absolute solution. Keycloak goes far, far beyond Spring security's functionality. It is an evolution of old PicketLink libraries developed by JBoss, but those are discontinued and merged into Keycloak instead. An example how simple usage of Keycloak is can be found here.
It is also not that hard to write own security interceptor using @WebFilter and @Inject :), there are several projects on GitHub:
https://github.com/rafaelodon/my-security-context
I have no experience with these projects. However, I am always amazed how easily can Spring Security be replaced :)
Community
- 1
- 1
-
Thank youf for your answer. But, I'm not trying to replace SpringSecurity. I try to find out how to use SpringSecurity in a CDI application. I am not comparing CDI & Spring. By the way, CDI is more amazing that Spring :) I wanted just to see how to couple CDI & SpringSecurity. – Jason Bourne Dec 31 '15 at 14:19
-
1In the JEE world, there are many amazing security frameworks: JAAS, JASPIC, PicketLink, and the 5 stars Apache SHIRO. Thank you again for you answer but this is not what I am seeking :) – Jason Bourne Dec 31 '15 at 14:22
0
I am using Spring Security with CDI but I can say it is not very healthy since Spring Security is based on spring and spring is messing with the CDI beans.
Here is what happened to me. I customized the AuthenticationProvider of spring security in order to authenticate users through my authentication server. When implementing this mechanism I used my predefined CDI beans by injecting them using (@Inject) annotation. At this point spring somehow intercepts the injection and creates its own bean, which means you cannot use any of the values you set to the CDI bean previously.
In order to solve this, I did some trick like this:
@Inject
private LoginController loginController;
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//Here, the injected bean is empty, I am requesting my old bean from CDI and assign it back.
LoginController bm = (LoginController) CDI.current().select(LoginController.class).get();
loginController = bm;
I don't know if this is the answer you are looking for but i hope this helps...
Cem Hünerkar
- 1
- 1