Update 5/12/2016: Building a single page app and need user management for Java? Read more about building application security the right way (and the hurdles you’ll need to overcome) in our post: The Problem with Securing Single Page Applications.


Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, and session management with a focus on ease-of-use and flexibility. At Stormpath, we use Shiro to secure our own applications, and we also offer a Shiro plugin that adds Stormpath User Management functionality to Shiro-secured applications. Pairing Apache Shiro with Stormpath gives you a full application security and user management system, with little to no coding.

Our CTO, Les – who is also the primary committer on Shiro – recently posted a handy tutorial that demonstrates how to secure Java webapps with Shiro. In 45 minutes, it covers everything from basic Shiro configurations to implementing RBAC. For a user store, the tutorial uses Stormpath to get users and roles up in 5 minutes.

Here we expand on the Stormpath functionality in the tutorial and answer the common questions we’ve been hearing.

From here on, we’re assuming you’ve already run through the Apache Shiro Beginners Webapp Tutorial. If not, give it a whirl – it’s a very fast way to secure Java webapps.

Registering with Stormpath

Registration is a breeze; there are only two things to keep in mind:

  1. Pay attention to your tenant name after confirming your Email address! Stormpath is a multi-tenant service and you’ll need your tenant name to log into the admin console.
  2. Everyone starts on the free developer tier. Upgrade when you need production features or more than 100,000 API calls / month.

Stormpath Applications

Apache Shiro is agnostic to the types of applications it secures – SaaS web and infrastructure apps are both popular use cases.

In Stormpath, the Application resource is simply a record of your real-world application; it exists to help you model your user and security requirements. Developers coming from a language-specific user management system will also appreciate how cleanly applications can be separated. Unique code bases and distinct access policies are good reasons to set up multiple Applications in Stormpath.

Stormpath Applications, Directories, and Groups can all have many-to-many relationships. This gives you the flexibility to control users’ access across multiple real-world apps, regardless of architectural differences. Want to give a Directory full of users from your Ruby app access to your brand new Java app built with Shiro? No problem.

cURL is Great. Now where’s the GUI?

The vast majority of interactions with Stormpath occur programmatically via the REST API or one of our language-specific SDKs. But sometimes you just want to point and click. Most Stormpath resources can be created and updated directly in the browser with the admin console. It’s a great tool when team members need to quickly disable an account and aren’t familiar with the API, or for getting a quick look at a user or group resource.

Login to the console and go to town.

Java Support

Stormpath fully supports JVM languages with our Java SDK – in fact, it’s a dependency in your new webapp’s pom file. Yep, it’s been there the whole time.

Here’s how you would register your new webapp in Stormpath using Java:

The open-source Apache Shiro plugin for Stormpath also makes things even easier for Shiro-enabled apps.

Quick Links:

Watch this space for a follow-up post on advanced user management with Stormpath and Apache Shiro.

If you have questions about integrating a Shiro-backed app with Stormpath, we’d love to help! Chat with us on www.stormpath.com or send us an Email: [email protected].

The community forums and mailing list are great places to get your Apache Shiro-specific questions answered.