Open mrioan opened 8 years ago
This is because spring security generally depends on web concepts for much of its work, so we avoided the stormpath-spring-security
(without web support) because it would be rather difficult.
Just curious - is there a customer request to isolate this?
Just curious - is there a customer request to isolate this?
Hi Les. Yes, I wanted to use Stormpath + Spring Security to build an SPA/mobile REST backend. The webmvc starter comes with capability I don't want i.e. the view end of things.
Using stormpath-spring-security
doesn't try to take over the view end of things, but also does not provide the useful backend stuff like http.apply(stormpath())
.
So far I'm having some luck with leveraging webmvc but disabling all the endpoints (except logout) exposed by stormpath-webmvc, though I haven't gone too far down this path yet, so I may run into issues later:
stormpath:
web:
login:
enabled: false
logout:
enabled: true
change:
enabled: false
forgot:
enabled: false
register:
enabled: false
sendVerificationEmail:
enable: false
verify:
enabled: false
The only thing is I have to implement my own endpoints for each of the above functions.
@rocketraman thanks for the feedback! This is really helpful to us and helps us guide our roadmap. :)
P.S. We've actually talked about this on the SDK teams, I think we have an answer for you (as opposed to re-packaging into a different jar).
Our 'framework spec' handles this by disabling HTML support:
https://github.com/stormpath/stormpath-framework-spec/blob/master/single-page-apps.md
See the "I don't want Stormpath to handle my SPA assets / I want just JSON" section.
By removing application/html
from the produces
list, HTML views are disabled and only JSON would be supported. That would be the only property you'd have to set.
IIUC, would this address your concern?
The Stormpath Java SDK framework integrations (Spring, etc) don't do this yet, but they will as it is part of our spec. I just want to ensure this addresses your concern. Thoughts?
This (i.e. disabling HTTP) may provide what @rocketraman needs. However I am still thinking that (a small number of) users may want to create a non-web application where they can still use Spring Security. To the best of my understanding Spring Security is not intrinsically web-related, it provides web-support but can also function properly in non-web apps.
See the "I don't want Stormpath to handle my SPA assets / I want just JSON" section.
By removing application/html from the produces list, HTML views are disabled and only JSON would be supported. That would be the only property you'd have to set.
IIUC, would this address your concern?
It looks like it probably would, yes.
Cool, thanks for confirming. This design was added to address this concern, so I'm glad to hear that it would meet your needs.
A user trying to use Spring Security is forced to depend on
stormpath-spring-security-webmvc
. They should have something analogous to this configurer instormpath-spring-security