Spring Security 4 & CDI

Question

I want to use SpringSecurity4 in a CDI/EJB environment. Is this possible? Can SpringSecurity can be used without using Spring?

What I want to do, is to use SpringSecurity with my EJB and CDI components.

Answer 1

Spring Security is basically a filter machine, filtering all the incoming requests. However, plenty of it's functionality is Spring-core dependent. It is possible to utilize Spring in a CDI application, but Spring's core is heavyweight and it's functionality is funny compared to CDI. That would be a downgrade and there would be no point in using CDI.

What you can do is to have a look at some Security projects for JEE world.

• Apache DeltaSpike and it's Security module.
• Keycloak - The absolute solution. Keycloak goes far, far beyond Spring security's functionality. It is an evolution of old PicketLink libraries developed by JBoss, but those are discontinued and merged into Keycloak instead. An example how simple usage of Keycloak is can be found here.

It is also not that hard to write own security interceptor using @WebFilter and @Inject :), there are several projects on GitHub:

• https://github.com/rmpestano/security-interceptor

• https://github.com/clairton/security

• https://github.com/Rudin-Informatik/cdi-security

• https://github.com/rafaelodon/my-security-context

  I have no experience with these projects. However, I am always amazed how easily can Spring Security be replaced :)