End-to-End Application Security for Spring Developers

Not so long ago, securing a Java app meant weeks of work and plenty of custom code. Today, tools like Spring Security make secure development far less painful. We’re thrilled to simplify security for Java apps even more with the new Spring Security plugin for Stormpath, available now.

Spring Security is a highly customizable security framework for Spring-based Java applications. It handles authentication, access control, and provides protection against attacks like session fixation, clickjacking, CSRF and more. As with all security frameworks, Spring Security requires a backend user store to integrate with and authenticate against. Our new plugin takes care of all that, with a hosted user management service.

Together, Stormpath and Spring Security offer Spring developers an end-to-end production user security solution in minutes. Checkout the highlights of the new plugin:


Web apps can use one of Spring Security’s authentication filters without any custom code. The plugin handles login attempts automatically.

And no one likes managing or hosting user data stores and writing or configuring Spring Security AuthenticationProviders. With the Spring Security plugin for Stormpath, you define a single Stormpath AuthenticationProvider, and you’re done! Let Stormpath handle all the data modeling, management UIs, account email workflows, and integration with LDAP or Active Directory for you.


The concept of ‘Roles’ in Spring Security conveniently mirrors Stormpath’s Group object. Simply create your groups (roles) in Stormpath and perform role checks as usual.


Spring Security’s ‘Granted Authorities’ allow for finer-grained user permissions than Roles alone. The new plugin supports Granted Authorities by mapping permission data to the Stormpath customData resource. You can easily assign permissions directly to an Account or to a Group (all accounts in a Group will inherit the Group’s permissions).


We know performance is critical. The Spring Security plugin for Stormpath natively supports the Spring caching APIs to reduce round-trip communications to Stormpath. This allows you to use your existing Spring-managed caching infrastructure to ensure your authentication and access control checks are fast.

Sample App

We’ve also shipped a sample web application to get your feet wet. It demonstrates the major functionality of the plugin and is a great place to start. Head over to GitHub for the source code and clone away.

Get the Goods:

  1. Stormpath Java Quickstart
  2. Spring Security Plugin for Stormpath
  3. Sample Web Application
  4. Readme

Next up: Scala + Stormpath samples. Stay tuned.