When to move from Container managed security to alternatives like Apache Shiro, Spring Security?

Question

I am trying to secure my application which is built using JSF2.0.

I am confused about when do people choose to go with security alternatives like Shiro, Spring Secur

Answer 1

I have decided that SpringSecurity (SS) is going to be our Authentication and Authorization framework. Mainly because SS does OpenID and OAuth. I will have to customize it though for the permissions/group/user/entity system quite a bit. I plan on doing authorization at the 'EntityManager/Entity' level, Service Level, and the Web/API levels. "Lock the door, but have your jewels in a 3 ton safe in the back room" A lot of the last half Shiro handles MUCH better. But I don't fell as comfortable trying to integrate openid4j/openauth4j into Shiro.

It would be REALLY nice to pick and choose the features of both, without any interference or code bloat. THAT's the best choice.

PS, Spring brings a lot of other things to the plate, also, like integration with JSF, so it has a lot of appeal.