Using Stormpath on our Java Backend

Rahama Obadak
Marketing & Comms, Flexisaf

In a previous post, I talked about our motivation for picking Stormpath as the user management solution for To recap, our app is built using Java on the backend and React on the front-end. In this post, I'll go through how we got Stormpath working on our Java backend.We are making use of the Stormpath Java Servlet Plugin, which has an excellent getting started guide. The plugin is mostly configuration driven and comes with reasonable defaults. Most of our application-specific configurations reside in a file called ``.Our backend API is RESTful, so we started by figuring out the endpoints we wanted to authenticate, and then simply added lines like these to our `` file:[java]stormpath.web.uris./api/exams/** = authcstormpath.web.uris./api/subjects/** = authcstormpath.web.uris./api/questions/** = authc[/java]By default, the Stormpath servlet plugin comes with a bunch of preconfigured endpoints, e.g. `/login, /register, /oauth/token` e.t.c. for different user management functions. We wanted our endpoints to be prefixed with `/api`, so we did some renaming in our `` file:[java]stormpath.web.logout.uri = /api/logoutstormpath.web.register.uri = /api/registerstormpath.web.accessToken.uri = /api/oauth/token[/java]The property name for the HTTP basic authentication endpoint is `stormpath.web.login.uri` with a default value of `/login`. We prefer to use token authentication.Our backend API and front-end are located on separate domains, so we needed to specify origins that are allowed to request for access tokens by adding them to the properties file:[java]stormpath.web.accessToken.origin.authorizer.originUris = http://localhost:3500,[/java]The values above are for local development, and we update them based on environment, i.e. development, staging and production. One way of updating the URIs is programmatically via environment variables, which is also 12-Factor App compliant. Additionally, we needed to setup a CORS filter to handle cross-domain communication between the client and server. If you aren't familiar with CORS, MDN has an excellent write-up. For that, we created a Jersey filter like the following:[java]import com.stormpath.sdk.servlet.filter.HttpFilter;// Imports skippedpublic class CORSStormpathFilter extends HttpFilter { @Override protected void filter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws Exception { String origin = request.getHeader("Origin"); // Ensure the origin is allowed based on the environment checkOrigin(origin); // Handle CORS preflight if (request.getMethod().equalsIgnoreCase("OPTIONS")) { response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD"); response.setHeader("Access-Control-Allow-Headers", "origin, content-type, accept, authorization, X-xsrf-token"); response.setHeader("Access-Control-Max-Age", "1209600"); } response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Origin", origin); super.filter(request, response, chain); }}[/java]Next, we needed to ensure HTTP requests to Stormpath endpoints pass through `CORSStormpathFilter`, otherwise they wouldn't work on the browser because of CORS. Again, we added to the properties file:[java]# Create URI filter called corsstormpath.web.filters.cors = com.flexisaf.cbt.filter.CORSStormpathFilter# Specify cors filter for desired endpointsstormpath.web.uris./api/logout = corsstormpath.web.uris./api/register = corsstormpath.web.uris./api/oauth/token = cors[/java]With that, our backend API was ready to accept user registration, authenticate users, and perform other functions supported by the Stormpath Java Servlet Plugin.