Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Presentations Instant Security and Scalable User Management in Spring Boot

Instant Security and Scalable User Management in Spring Boot



Les Hazlewood goes beyond the traditional way to secure applications and deep dives into how Spring Security + Stormpath offer an instant user management system for Spring Boot applications.


Les Hazlewood is Stormpath co-founder and CTO and the Apache Shiro PMC Chair.

About the conference

SpringOne Platform brings together the people, process and tools for delivering and operating software services. Learn and share with the startups and enterprises leveraging modern Java with Spring connecting all the pieces of the modern software puzzle from developer, operator, architect, data scientist to executive.

Recorded at:

Jan 26, 2017

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • OAuth API with multiple user stores

    by William Yarosh,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    The one thing I always see from identity providers is their showcase of the OAuth password grant with their system. My assumption is that this path only works with stormpath user stores and not federated SSO or LDAP AD systems where stormpath is not the IDP (identity provider).

    Also, there is no mechanism in OAuth, or any login framework stormpath uses that allows auto resolution of a user to a specific user store. This makes user login a challenge unless done through a similar path of the OAuth authorization grant flow. Also the user has to provide their login store everytime they login. It would be more ideal to either: auto redirect them to their user store, or redirect them based on their email provided in the login form.

    Is the password grant in any way supported for non stormpath user stores?

    Also, how can you validate a role in a multi tenant system where the user may need to be validated as an admin of one organization that the user is not a direct member of. That user though may be a parent to the subordinate company. Does stormpath offer any support for that?

    Finally, using groups as your role based authorization has many downfalls. What other forms of access control do you offer (such as direct role definitions, role grants, or acess control lists) that make the system more securely verbose. Also do those role definition or access controls integrate with spring security as smoothly as your group based role definitions?

    Thanks for any info!

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p