Clojure web app security

Is there a canonical library or set of libraries that are used for security for Clojure web apps that would solve the same sort of problems that would be solved by using Devise with Ruby on Rails?

I believe the two most popular libraries are:

Neither has been updated for about four years – because they are considered stable.

I believe the maintained version of friend is now clj-commons/friend

1 Like

Yes, I should have checked there. I’m a bit surprised that Chas’s version doesn’t point to the clj-commons version. It certainly is a bit confusing that the README on Chas’s version says:

Note: while actively maintained, Friend is in search of a new maintainer.

and the README on the clj-commons version says:

This library is in maintenance mode. That means that it’s no longer actively developed, but we still provide maintenance. If you’re looking for an actively developed authentication lib, please consider using buddy

and then when you go to Buddy, you find it hasn’t been updated in nearly four years!

and then when you go to Buddy, you find it hasn’t been updated in nearly four years!

That’s just the buddy/buddy artifact. The modules have been updated recently: buddy-hashers and buddy-sign were updated in December.


While a few years old, this article gives some decent pointers.

Could be used as inspiration, as it shows things like session storage, hashing, and how to put the pieces together.

Oh, totally missed that! All that (very important) information is in the README but buried below the fold so at a quick glance, it just looks abandoned.

Has anyone tried Apache Shiro with Clojure?

It seems it shouldn’t be too hard to integrate.

There is at least one wrapper library: GitHub - inventi/Pocheshiro: Clojure wrapper for Apache Shiro.
I haven’t used it (or Apache Shiro). Not updated for years, which may or may not matter.