Copyright © 2013 Stormpath, Inc. and contributors. This project is open-source via the Apache 2.0 License.
This sample application uses the Stormpath Spring Security plugin to demonstrate how to achieve Stormpath and Spring Security integration.
The stormpath-spring-security
plugin allows a Spring Security-enabled application to use the Stormpath User Management & Authentication service for all authentication and access control needs.
Usage documentation is in the wiki.
-
Create a Stormpath developer account and create your API Keys downloading the "apiKey.properties" file into a ".stormpath" folder under your local home directory
-
Within Stormpath's Admin Console, create an application and a directory to store your users' accounts.
-
Create at least one Group and Account in the application. Assign the account to the group.
-
Through the Stormpath's Admin interface, note your application's REST URL.
-
Clone stormpath-spring-security-example into your local machine:
git clone [email protected]:stormpath/stormpath-spring-security-example.git
-
Edit
stormpath-spring-security-example/web/src/main/webapp/WEB-INF/spring-security.xml
:- Replace the
applicationRestUrl
value with your Application's REST URL. - Insert the Stormpath Group HREF that will be allowed to access the secured content over
REPLACE_ME_WITH_YOUR_STORMPATH_GROUP_ALLOWED_TO_ACCESS_THIS_SECURED_RESOURCE
.
- Replace the
-
This project requires Maven 3 to build. Run the following from a command prompt:
mvn install
-
Run it:
mvn tomcat:run
By default, the stormpath-spring-security plugin and this sample app uses Groups's HREFs as the role names for Spring Security. In this sample app, we have also included another GroupGrantedAuthorityResolver
, the GroupRoleGrantedAuthorityResolver
class which provides functionality to map Group's HREFs to any desired domain-specific role name. It is not enabled by default but it is present here as it may come in handy for you.
-
Add your own mappings in
stormpath-spring-security-example/web/src/main/webapp/WEB-INF/spring-security.xml
:<beans:bean id="groupRoleGrantedAuthoritiesMap" class="java.util.HashMap" scope="prototype" > <beans:constructor-arg> <beans:map key-type="java.lang.String" value-type="java.util.List"> <beans:entry key="ONE_STORMPATH_GROUP_HREF_HERE"> <beans:list> <beans:value>ROLE_A</beans:value> <beans:value>ROLE_B</beans:value> </beans:list> </beans:entry> <beans:entry key="ANOTHER_STORMPATH_GROUP_HREF_HERE" value="ROLE_USER" /> <beans:entry key="YET_ANOTHER_STORMPATH_GROUP_HREF_HERE" value="ROLE_ADMIN" /> </beans:map> </beans:constructor-arg> </beans:bean>
-
Set the Group Resolver to
StormpathAuthenticationProvider
:<beans:bean id="groupGrantedAuthorityResolver" class="com.stormpath.spring.security.example.mapping.GroupRoleGrantedAuthorityResolver" > <beans:constructor-arg ref="groupRoleGrantedAuthoritiesMap" /> </beans:bean> <beans:bean id="stormpathAuthenticationProvider" class="com.stormpath.spring.security.provider.StormpathAuthenticationProvider"> <!-- etc... --> <beans:property name="groupGrantedAuthorityResolver" ref="groupGrantedAuthorityResolver" /> </beans:bean>
-
Specify your Spring Security access rules using the mapped roles names in your application. For example, in this case, the secured resource is available to
ROLE_A
(belonging toONE_STORMPATH_GROUP_HREF_HERE
in step 1):<http auto-config='true' access-decision-manager-ref="accessDecisionManager" > <intercept-url pattern="/secured/*" access="ROLE_A" /> <logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp"/> </http>
This way, your application code can stay agnostic of the Stormpath's role names. Now, in your code you can do this:
@PreAuthorize("hasRole('ROLE_A')")
as opposed to:
@PreAuthorize("hasRole('https://api.stormpath.com/v1/groups/l4aDkz0QPcf2z23j93l1T')")
- Upgraded Stormpath SDK dependency to latest stable release of 1.0.RC2
- Upgraded Spring Security Stormpath plugin to latest stable release of 0.3.0
- Issue 8: Removed dynamic permissions for CustomData changes. User must logout and re-login to get permission changes applied.
- Upgraded Stormpath SDK dependency to latest stable release of 0.9.2
- Upgraded Spring Security Stormpath plugin to latest stable release of 0.2.0
- Added page to view and edit account's CustomData
- Added Permissions example. It is now possible to use Spring Security Granted Authorities as permissions for Stormpath Accounts or Groups by leveraging Stormpath's newly released CustomData feature.
- Stormpath SDK now has a Spring cache configured: a simple JDK ConcurrentMap
- First release