InfoQ Homepage Presentations Instant Security and Scalable User Management in Spring Boot
Instant Security and Scalable User Management in Spring Boot
Summary
Les Hazlewood goes beyond the traditional way to secure applications and deep dives into how Spring Security + Stormpath offer an instant user management system for Spring Boot applications.
Bio
Les Hazlewood is Stormpath co-founder and CTO and the Apache Shiro PMC Chair.
About the conference
SpringOne Platform brings together the people, process and tools for delivering and operating software services. Learn and share with the startups and enterprises leveraging modern Java with Spring connecting all the pieces of the modern software puzzle from developer, operator, architect, data scientist to executive.
Community comments
OAuth API with multiple user stores
by William Yarosh,
OAuth API with multiple user stores
by William Yarosh,
Your message is awaiting moderation. Thank you for participating in the discussion.
The one thing I always see from identity providers is their showcase of the OAuth password grant with their system. My assumption is that this path only works with stormpath user stores and not federated SSO or LDAP AD systems where stormpath is not the IDP (identity provider).
Also, there is no mechanism in OAuth, or any login framework stormpath uses that allows auto resolution of a user to a specific user store. This makes user login a challenge unless done through a similar path of the OAuth authorization grant flow. Also the user has to provide their login store everytime they login. It would be more ideal to either: auto redirect them to their user store, or redirect them based on their email provided in the login form.
Is the password grant in any way supported for non stormpath user stores?
Also, how can you validate a role in a multi tenant system where the user may need to be validated as an admin of one organization that the user is not a direct member of. That user though may be a parent to the subordinate company. Does stormpath offer any support for that?
Finally, using groups as your role based authorization has many downfalls. What other forms of access control do you offer (such as direct role definitions, role grants, or acess control lists) that make the system more securely verbose. Also do those role definition or access controls integrate with spring security as smoothly as your group based role definitions?
Thanks for any info!