Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:


1. Overview

Stormpath has developed solid support for Spring Boot and Spring Security – to make the integration with their infrastructure and services quite straightforward.

In this article, we're going to have a look at a minimalistic setup and integration of Stormpath with Spring Security.

2. Setting Up Stormpath

Before we can really integrate Stormpath, we need to create access token in Stormpath's cloud. For that, we need to sign up over on their website. Please remember that for development purpose we'll need to sign up as a developer – which gives us 10000 API calls per month of using the free mode.

Of course, if we already have an active Stormpath account, we can use that and directly login.

Now, we need to create the API keys; by clicking Manage API Keys” link inside Developers Tools, we'll see a button named “Create API Key.

We need to click on this button to generate the API key. When clicking, we'll get prompted us to download a properties file containing the API key details. The content will look like this: = xxxxxxxxxxx
apiKey.secret = xxxxxxxxxxxx

We need to store this details very carefully since this data can't be fetched again from the server.

3. Building the Application

3.1. Maven Dependencies

In order to use Stormpath API, we need to use their Java SDK. For that, we need to integrate the following dependency in the pom.xml:


You can find the latest version of the stormpath-default-spring-boot-starter in Central Maven Repository.

3.2. Spring Security Configuration

One of the advantages of using Stormpath is that we don't need to add much boilerplate code to configure Spring Security. The following couple of lines of code is all we need to fully configure the application:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

The stormpath() is a static method, which will actually be enough for a simple integration with Spring Security.

What's even more interesting here is that we don't have to create any additional HTML pages to design login, sign-up, etc. Stormpath will generate those pages; however, depending on our need, we may create custom pages and integrate Stormpath's functionalities.


We are almost done building this bare-bones application. We just need to add the API keys details, we have created earlier in the file: = // your api id
stormpath.client.apiKey.secret = // your api secret

As per the Stormpath Guidelines, it's always a best practice to put a sensitive data in the JVM environment variables, instead of using them in the

We can declare them as JVM parameters:[api_id] -Dstormpath.client.apiKey.secret=[api_secret]

Now, we're ready to start the application and see the results. We can check the following URLs to test Stormpath's functionalities:

  • /login – Login page
  • /register – Registration page
  • /forgot – Forgot password page

3.4. Other Options

There's also an interesting option to check on the login page, the Forgot Password link at the login box. When clicking this link, we'll be redirected to the /forgot page, where we can provide our email address, which we created to sign up. This will trigger an automatic email containing the link to reset a password.

However, we need to do following configuration at the Stormpath Admin Panel to configure this:

  • Click on the Directories link on top of the page. It should show all of the directories created with this account. By default, after sign up, Stormpath automatically creates a directory named Stormpath Administrator. However, if can create other directories and use them.
  • In the left panel click on the Workflows & Emails link to see a password reset option. By default, it's disabled. We need to click on the Enabled button to use it.
  • In the Link Base URL, we need to give the URL of our application and this URL will be attached to the password reset email.

4. Conclusion

In this quick article, we learned how to easily integrate Spring Security with Stormpath.

There are plenty of other configuration like email verification, etc., which can be configured via Stormpath Admin Console; using those, we can build a secured application quite quickly.

And, like always, you can find the full source code on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Comments are closed on this article!