References:
A survey of JAAS, Apache Shiro, Spring Security and Keycloak
http://are-you-ready.de/blog/2017/01/25/apache-shiro-part-1-selecting-a-java-security-framework/
According to the above reference:
JAAS
- Standard, provided by EE containers
- However implementations are not portable (each vendor has own solution)
- Very basic
Keycloak
- A standalone server
- Therefore requires more resource to run
- Could be a nice solution
Spring Security
- Brings everything out of box
- Seems overly complex
- Seems to be some problems from time to time with EE integration
- Author not sure combination with CDI, EJB, JSF at all
- Seems to be towards Spring platform
Apache Shiro
- Lightweight
- Container independent
- non-web Java application
- Jave EE
- Spring
- 12 years old, still active community and development