This week Stormpath released version 1.0 of their user management and authentication Java SDK. Stormpath generally provides APIs for implementing authentication, authorization and user management in web and mobile applications, including open source implementations, targeting a range of languages and frameworks. They're Apache licensed, hosted on GitHub, and their price list indicates the developer plan is "free forever".
Stormpath's Java SDK provides integrations for plain old servlets, as well as Spring, Spring Security and Spring Boot. To integrate Stormpath support into a Spring Boot application, you only need to add stormpath-default-spring-boot-starter as a dependency. If you're using Maven:
<dependency>
<groupId>com.stormpath.spring</groupId>
<artifactId>stormpath-default-spring-boot-starter</artifactId>
<version>1.0.3</version>
</dependency>
Or if you prefer Gradle:
dependencies {
compile 'com.stormpath.spring:stormpath-default-spring-boot-starter:1.0.3'
}
After making these changes, your app will have a number of features out-of-the-box, including login, logout, registration, forgot password and email verification. You can even configure social login or SAML support by configuring directories in Stormpath's dashboard. Below are screenshots of the login and registration features.
If you're using Spring Security, you'll need a Spring Security configuration class to apply the Stormpath integration. After adding this, you can easily configure Spring Security in the traditional fashion.
import static com.stormpath.spring.config.StormpathWebSecurityConfigurer.stormpath;
@Configuration
public class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.apply(stormpath());
}
}
Stormpath's Java SDK also provides a content-negotiation feature that makes it possible to use JavaScript clients. Rather than returning HTML (generated by JSP or Thymeleaf), it returns JSON when an Accept:application/json header is present. To see how this works with AngularJS, see their Angular + Spring Boot + Stormpath example application.
The companion test suit Stormpath Framework TCK is used to verify that all SDKs function identically. Its tests are written in Groovy and use REST-assured to drive applications and verify functionality. The Java SDK also has many of its tests written in Groovy, and there are pedagogical benefits to be realized from investigating these two open source projects.
To learn more about this release, InfoQ interviewed Stormpath developer evangelist Micah Silverman.
InfoQ: You offer several integrations for Java. Do you have statistics to show the most popular integrations? How are you seeing the usage of servlets trending?
Micah Silverman: Over the past 90 days, servlet usage represents 4.7% of all traffic to Stormpath that uses some part of the Java SDK. 68% of the Java traffic originates from one of the Stormpath Spring Boot integration variants (with and without Spring Security) and 51% of the Java traffic includes the Stormpath Spring Security integration.
InfoQ: What was the hardest piece to implement in Stormpath's Java SDK?
Silverman: I think the most challenging piece has been the Stormpath Spring Security integration. Requests hit Spring Security early in the pathway through to a response, so it's been tricky to have an implementation that functions both with and without Spring Security, without duplicating code.
InfoQ: What's your most notable feature in the 1.0 release?
Silverman: The most notable feature of the 1.0 is compliance with the Stormpath Framework Specification. Aside from bringing the Java SDK and integrations into conformance with other Stormpath Language SDKs, it makes it so that we can now specify content negotiation rules in configuration. This makes it easy to work with SPAs and the Stormpath integrations where modern content negotiation rules are called for.
InfoQ: Do you plan to support JSF and/or Java EE 8 MVC?
Silverman: We don't have explicit plans for integrations with JSF or Java EE 8. However, there's nothing that precludes developers from taking advantage of those technologies with the Stormpath integrations.
InfoQ: What does Stormpath add over home-grown security implementations?
Silverman: Stormpath's expertise is in securing sensitive information on the backend. This is no small task and it's all we do as a company. The intention of all the SDKs and integrations across languages is to make it easy for developers to use Stormpath, where we've abstracted away the "hard stuff". This is especially true of Java where we have 6 primary integrations - Shiro, Servlet, Spring WebMVC, Spring Security Spring WebMVC, Spring Boot WebMVC, Spring Security Spring Boot WebMVC. The Java integrations are completely modular, so you could mix and match any of the Spring integrations beyond the four identified above.
InfoQ: Where do you fit in a world with existing tools like Spring Security and JHipster?
Silverman: We have a deep integration with Spring Security - down to connecting idiomatic Spring Expression Language constructs like hasAuthority
with Stormpath groups. While we don't have specific plans yet on our roadmap, we are looking ahead to have integrations for all the most popular Java frameworks, including JHipster and Dropwizard.