I am trying to secure my application which is built using JSF2.0.
I am confused about when do people choose to go with security alternatives like Shiro, Spring Security or owasp's esapi leaving behind container managed security. Having seen some of related questions on Stack Overflow, where I realized that container based security was more preferred by JSF developers in past. But I have also been strongly recommended to use Apache Shiro. I am novice in terms of the security issues and have no idea what may be the relevant issues & how to deal with them. Therefore I'm looking for something that handles most of the security issues through its default settings/ on its own.
In terms of my application requirements, I have a social application where users with different roles have access to different set of pages and can use different levels of functionality on those pages based on their roles.
In that case what do you think could be a good option for me to go with ?
I personally have been convinced to opt Shiro since it is easy to use and takes care of most of the things for the novice.
I know exactly nothing about Apache Shiro except as follows, but what you have quoted comes practically verbatim from their Web page, which contains several mis-statements such as '[JAAS] required static definitions that only programmers could change', and 'JAAS is tied too heavily tied to virtual machine-level concerns', and the implication that JAAS isn't about users and roles, which is simply false. I would want a lot of convincing to move away from container managed security. It's part of the Servlet Specification, so it has to be supported by any container; it's well understood; it is supported by JDK classes with no 3rd parties; ... and it works for me ;-)