Flexess Versus Spring Security

There is one question that I hear every day:  What are the reasons for choosing your product over Spring Security? In this post I will discuss the differences between Flexess and Spring Security (aka acegi).

Spring Security is a great framework for securing applications. It covers all the significant aspects of security like authetication, authorization, channel security, etc.  It is a set of Java libraries that operate on the level of method invocation and web requests and as a result require binding secuirty aspects to the code. Such an approach is oftentimes not very convenient because any modification of the secuirty rules require code changes.  Flexess is positioned on the other level of abstraction. Flexess decouples the secuirty rules from program code by providing a definition of the application's security model. The protected objects, operations, permissions and roles are created almost entirely independently from the code. This approach allows to support access management rules not only created by developers but also by other non-technical people (for example, business analysts or even customers).

Administration of access management rules in Spring Security is done on the level of configuration files, database tables or LDAP records. Flexess is not only a security framework but also contains a web-based administrative application, which allows creating new roles and managing user-role assignments.

One of the most powerful features of Flexess is instance-level security. The typical example is that a user is only allowed to edit his/her own profile. In Spring Security such rule requires implementing the custom AccessDecisionVoter. In Flexess this rule is declarative and is defined while creating the security model.

I must admit that in support of authentication methods, Flexess is far behind Spring Secuirty. Spring Secuirty supports BASIC, Digest, Form authentication, authentication based on JAAS, and many other methods. The examples that come with Flexess show how to use Flexess authorization together with Spring Security for these purposes.