I understand next-to-nothing about Java's security model, including XML configuration, policy-setting, any security framework components, tools (for example keystore, etc.) and my way through between.

Although I realize it is going to become essential that i can roll-up my masturbator sleeves and learn Java peace of mind in-depth, I'm wondering if using something similar to Apache Shiro would help ease the transition a little. As a result, I've got a couple of concerns by using it.

Is Shiro, basically, a "turnkey, catchall wrapper" for applying peace of mind in Java programs (and much more particularly, web applications). Meaning, is one able to configure Shiro using their project and basically tune it do the same configuration, policy configurations, etc. that certain would need to do "by hand" (piecemeal) without them? Otherwise, what weak points does Shiro have (what exactly are some large things Shiro can't do for me personally which are vital)? What are the large weaknesses that Shiro does not address whatsoever?

Across the same lines, I have heard good stuff about OWASP's ESAPI framework. Aybody have knowledge about both? Can ESAPI and Shiro be set up to operate together or perhaps is it really a binary "eitherInch type deal?

Thanks ahead of time!

The short response is yes. Both Shiro and ESAPI can interact, although there's a lt of redundant functionality between your two APIs. Shiro provides you with all you need for since the standard Java security model. ESAPI goes far above by supplying OWASP's globally-standardized security systems.

Shiro should be utilised by beginners like myself nobody do not understand Java security and/or general programs/server security. It requires proper care of several things for that security-ignorant. ESAPI should be utilised by programming security professionals that already understand Java security and wish to leverage not just everything that accompany JEE but have to go that step further making things much more secure.