What Is Stormpath-A Simple Web App with Spring Boot, Spring Security

What Is Stormpath?

Stormpath is an API service that allows developers to create, edit, and securely store
user accounts and user account data, and connect them with one or multiple applications. Our API enables you to:

• Authenticate and authorize your users
• Store data about your users
• Perform password and social based login
• Send password reset messages
• Issue API keys for API-based web apps
• And much more! Check out our Product Documentation

In short: we make user account management a lot easier, more secure, and more
scalable than what you’re probably used to.

Start Your Spring Boot Project

Got your Stormpath developer account? Great! Let’s get started…

Whether you are a Maven maven or Gradle grete, getting your project setup is a snap.

Here’s a pom.xml file to start with:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">     <modelVersion>4.0.0</modelVersion>     <groupId>com.stormpath.sample</groupId>     <artifactId>stormpath-spring-boot-spring-security-tutorial</artifactId>     <version>0.1.0</version>     <name>Spring Boot Spring Security Stormpath Tutorial</name>     <description>A simple Spring Boot Web MVC application with Spring Security and out-of-the-box login and self-service screens!</description>     <dependencies>         <dependency>             <groupId>com.stormpath.spring</groupId>             <artifactId>stormpath-default-spring-boot-starter</artifactId>             <version>1.0.RC6</version>         </dependency>     </dependencies>     <build>         <plugins>             <plugin>                 <groupId>org.springframework.boot</groupId>                 <artifactId>spring-boot-maven-plugin</artifactId>                 <version>1.3.0.RELEASE</version>                 <executions>                     <execution>                         <goals>                             <goal>repackage</goal>                         </goals>                     </execution>                 </executions>             </plugin>         </plugins>     </build> </project>

You may notice that there is a single dependency: stormpath-default-spring-boot-starter. Yup. That’s it. As you will see below, that one dependency gives non you all of the Spring Boot, Spring Security and Stormpath magic at once.

Gather Your API Credentials and Application Href

The connection between your app and Stormpath is secured with an “API Key Pair”. You will provide these keys
to your web app and it will use them when it communicates with Stormpath. You can download your API key pair from our Admin Console. After you log in you can download your API key pair from the homepage, it will download the apiKey.properties file – we will use this in a moment.

While you are in the Admin Console you want to get the href for your default Stormpath Application. In Stormpath, an Application object is used to link your web app to your user stores inside Stormpath. All new developer accounts have an app called “My Application”. Click on “Applications” in the Admin Console, then click on “My Application”. On that page you will see the Href for the Application. Copy this — we will need it later.

Writing the Spring Boot Application

The code for this section can be found in the LockedDown tag of the code repo. 

We need three small Java classes and an html template to fire up the first version of our webapp. They’re small enough that I will put them right here. Let’s get to it!

Spring Boot Application Entry Point

All Spring Boot applications have an entry point that works just like an ordinary Java program. It has a main method and everything.

Here’s Application.java:

1 2 3 4 5 6

@SpringBootApplication public class Application  {     public static void main(String[] args) {         SpringApplication.run(Application.class, args);     } }

6 lines of code including the @SpringBootApplication annotation kicks off the party.

Spring Security Configuration

By default (and by best security practices), Spring Security locks down your entire application. It locks it down to the point that it’s not even accessible! While this conforms to best security practices, it’s not terribly useful. Additionally, we need to hook Spring Security and Stormpath together. That brings us to our SpringSecurityWebAppConfig.java:

1 2 3 4 5 6 7

@Configuration public class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {     @Override     protected void configure(HttpSecurity http) throws Exception {         http.apply(stormpath());     } }

The @Configuration annotation causes Spring Boot to instantiate this class as a configuration. .apply(stormpath()) hooks all of the Stormpath goodness (authentication and authorization workflows) into Spring Security.

Because there is no further configuration in the configure method, we will still see the default behavior of having everything locked down. However, instead of the default Spring Security authentication flows, we will see the default Stormpath flows. That is, attempting to browse to any path in the application will result in a redirect to the Stormpath login page.

So, a 1 line method call and we’ve got security!

Spring WebMVC Ties It All Together

Our security configuration above ensures that all paths in the application will be secured.

A Controller determines how requested paths get directed to display which templates.

Here’s our HelloController.java:

1 2 3 4 5 6 7

@Controller public class HelloController {     @RequestMapping("/")     String home() {         return "home";     } }

The @Controller annotation signals Spring Boot that this is a controller. We have one path defined on line 3, /. Line 5 returns the Thymeleaf template named home.

7 lines of code and we have Model-View-Controller (MVC) routing.

Bring Us home.html

By default, the Thymeleaf templating engine will look for templates returned from controllers in a folder called templates in your classpath. It will also look for the default extension of .html.

So, when our controller above returns "home", Thymeleaf will find the template in resources/templates/home.html.

Let’s take a look at the home.html file:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

<html xmlns:th="http://www.thymeleaf.org">     <head>         <!--/*/ /*/-->     </head>     <body>         <div class="container-fluid">             <div class="row">                 <div class="box col-md-6 col-md-offset-3">                     <div class="stormpath-header">                         <img src="http://stormpath.com/images/template/logo-nav.png"/>                     </div>                     <h1 th:inline="text">Hello, [[${account.fullName}]]!</h1>                     <a th:href="@{/logout}" class="btn btn-danger">Logout</a>                 </div>             </div>         </div>     </body> </html>

Line 1 sets up the th namespace for Thymeleaf.

Line 3 looks like an html/xml comment. However, this is a directive that Thymeleaf picks up on to include a fragment in this template. The fragment is found at: resources/templates/fragments/head.html. This fragment contains all the setup to hook in Bootstrap styling for our views.

Lines 13 and 14 is where the action is. Since every pathway in our application is locked down, we know that the only way to get to this page is after having logged in. Part of the Stormpath magic is that once logged in, an account object is always in scope to your views. Line 13 shows the logged in user’s full name. Line 14 provides a link to log out when clicked.

For more information on working with Thymeleaf templates, click here.

Let’s Fire It Up!