Create Configurer analogous to StormpathWebSecurityConfigurer in non-web module

[mrioan]

A user trying to use Spring Security is forced to depend on stormpath-spring-security-webmvc. They should have something analogous to this configurer in stormpath-spring-security

[lhazlewood]

This is because spring security generally depends on web concepts for much of its work, so we avoided the stormpath-spring-security (without web support) because it would be rather difficult.

Just curious - is there a customer request to isolate this?

[rocketraman]

Just curious - is there a customer request to isolate this?

Hi Les. Yes, I wanted to use Stormpath + Spring Security to build an SPA/mobile REST backend. The webmvc starter comes with capability I don't want i.e. the view end of things.

Using stormpath-spring-security doesn't try to take over the view end of things, but also does not provide the useful backend stuff like http.apply(stormpath()).

So far I'm having some luck with leveraging webmvc but disabling all the endpoints (except logout) exposed by stormpath-webmvc, though I haven't gone too far down this path yet, so I may run into issues later:

stormpath:
  web:
    login:
      enabled: false
    logout:
      enabled: true
    change:
      enabled: false
    forgot:
      enabled: false
    register:
      enabled: false
    sendVerificationEmail:
      enable: false
    verify:
      enabled: false

The only thing is I have to implement my own endpoints for each of the above functions.

[lhazlewood]

@rocketraman thanks for the feedback! This is really helpful to us and helps us guide our roadmap. :)

[lhazlewood]

P.S. We've actually talked about this on the SDK teams, I think we have an answer for you (as opposed to re-packaging into a different jar).

Our 'framework spec' handles this by disabling HTML support:

https://github.com/stormpath/stormpath-framework-spec/blob/master/single-page-apps.md

See the "I don't want Stormpath to handle my SPA assets / I want just JSON" section.

By removing application/html from the produces list, HTML views are disabled and only JSON would be supported. That would be the only property you'd have to set.

IIUC, would this address your concern?

The Stormpath Java SDK framework integrations (Spring, etc) don't do this yet, but they will as it is part of our spec. I just want to ensure this addresses your concern. Thoughts?

[mrioan]

This (i.e. disabling HTTP) may provide what @rocketraman needs. However I am still thinking that (a small number of) users may want to create a non-web application where they can still use Spring Security. To the best of my understanding Spring Security is not intrinsically web-related, it provides web-support but can also function properly in non-web apps.

[rocketraman]

See the "I don't want Stormpath to handle my SPA assets / I want just JSON" section.

By removing application/html from the produces list, HTML views are disabled and only JSON would be supported. That would be the only property you'd have to set.

IIUC, would this address your concern?

It looks like it probably would, yes.

[lhazlewood]

Cool, thanks for confirming. This design was added to address this concern, so I'm glad to hear that it would meet your needs.