Stormpath and Apache Shiro are separate products built by different organizations. They complement each other, but neither is required to use the other.
Apache Shiro is the leading Java security framework and is an open source project under the Apache Software Foundation (ASF). Started by Stormpath CTO Les Hazlewood, who serves as PMC Chair for the project, Shiro handles authentication, authorization, cryptography, and session management in Java applications. But like all security frameworks, Shiro works best when connected to a secure data store where user credentials and access policies are defined, stored, and managed. Stormpath is that data store.
While our Java SDK has useful authentication/authorization capabilities, it does not have the depth and breadth of web app integration that Shiro does. In turn, for Shiro to work, it needs to point at a data store like Stormpath.
Neither is dependent on the other - many Java developers use the Stormpath Java SDK by itself and many use it with Shiro. We also have an integration with Spring Security. We're happy to help regardless of the approach you take.
Here are a few deeper examples of the differences and when/why you may use only only one or both in conjunction:
- If you want to authenticate a user directly in code, you can do so with Stormpath alone.
- If you want do an authorization check explicitly in code via something like an if/else statement, you can do so with Stormpath alone.
- If you want to do more at the enforcement layer of your application, in particular around authorization, then Shiro provides a number of additional features.