We are building an O&M framework in Java, which will support both web based GUI and console based CLI. Later, it will also be supported with GUI that can be accessed using handhelds (Andriod app etc). I need to decide on which open source java security framework to use for this product.
My requirements are as follows:
The security framework should be container agnostic: I should be able to access it from Java EE servers, Tomcat web containers, POJO in Java SE etc
The security framework must provide authentication & role based authorization (RBAC) services
In some deployments, our operators may ask us to point to their LDAP servers for user credentials and roles, so LDAP support is required
Password strength control, Password ageing, Automatic lockout of account if not logged in for N days, Automatic password change enforcement every N days, Strong encryption support, Channel security, Single Sign On etc are all required features
The open source project must be active & well supported in forums and must adhere to latest security standards in practice
The security related data will be stored in various data stores namely HBase, Cassandra etc. So the security framework must be extensible to read data from different data stores (or be based on JPA etc)
I started looking at Spring Security. Not sure if it can meet requirement (1) and also I read some feedback that its very heavy and tough to use and also it can be used easily only with Spring Based apps. Our application is not Spring based
How about Apache Shiro? Does it meet all that I need above?