Setting up application.yml
Rename application.properties inside your src/main/resources folder to application.yml, and paste into that the following:
# Spring related settings
spring:
# database settings
jpa.database: HSQL
# JSON serialization settings
jackson:
default-property-inclusion: NON_NULL
serialization:
write-null-map-values: false
deserialization:
accept-single-value-as-array: true
devtools:
# Unomment this if you don't want the app to restart
# when source code changes
# restart.enabled: false
livereload.enabled: false
server.session.persistent: false
# Logging settings
logging:
level:
root: INFO
org.springframework: INFO
com.naturalprogrammer: DEBUG
# Spring Lemon related properties
lemon:
application-url: http://localhost:9000
cors:
# Comma separated values of CORS allowedOrigins
# If this property is not given, CORS is not configured
allowed-origins: http://localhost:9000
recaptcha:
sitekey: 6LdwxRcUAAAAABkhOGWQXhl9FsR27D5YUJRuGzx0
secretkey: 6LdwxRcUAAAAADaG0Eo1qkYCco15cnngiBoBt2IO
# Oauth2 providers used for sign-on
remote-resources:
-
id: facebook
details:
clientId: 1234020186718741
clientSecret: 0c0abaf685a83e879e8e48b1167c96ab
accessTokenUri: https://graph.facebook.com/oauth/access_token
userAuthorizationUri: https://www.facebook.com/dialog/oauth
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
scope: email
userInfoUri: https://graph.facebook.com/me?fields=name,email
-
id: google
details:
clientId: 1011974249454-6gq0hr01gqh3cndoqnss5r69tkk2nd84.apps.googleusercontent.com
clientSecret: saDA6Cj60wipncFM-hzBD-C6
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
clientAuthenticationScheme: form
scope: email
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
# Where to redirect the user after successful sign-on
oauth2-authentication-success-url: http://localhost:9000/social-login-success
# First ADMIN user
admin:
username: [email protected]
password: admin!
# Remember-me secret key
remember-me-key: someSecret
# Spring Lemon flags
# enabled:
# json-prefix: false
# user-details-service: false
# Properties to be passed to client
shared:
fooBar: 123...
Notice above the following:
- You may like to use a persistent database instead of HSQL. In such case, you'll need to create a database and replace the datasource details with yours. The following is an example Postgres configuration:
# database settings jpa.hibernate.ddl-auto: create-drop datasource: url: jdbc:postgresql://localhost:5432/lemon username: lemon password: lemon - The CORS
allowed-originsproperty is needed if you plan to have web clients (e.g. an AngularJS client) hosted cross origin. - By providing recaptcha
sitekeyandsecretkey, we tell Spring Lemon to support Google reCAPTCHA validation. If you don't provide these properties, captcha validation won't be supported. Thesitekeyandsecretkeygiven above would work only at localhost. You should replace those with your keys in production. - By providing the
facebookandgoogleremote OAuth2 resources, we tell Spring Lemon to support google and facebok signup/in. TheclientIdandclientSecretvalues given above would work only at localhost. You should replace those with your keys in production. - The
application-urlproperty provides the base url of your web front-end (e.g. an AngularJS application). The default value ishttp://localhost:9000(so setting it was actually redundant). - The
oauth2-authentication-success-urlproperty provides the URL to redirect the user to after successful facebook/google signin. The default value is http://localhost:9000/social-login-success (so, setting it was actually redundant). remember-me-key: someSecretis needed to provide a secret password for encrypting Spring Security remember-me tokens.- When an application is installed, it's helpful to have its database initialized with an ADMIN user. The
lemon.admin.usernameandlemon.admin.passwordbecome the credentials of that first administrator. At application startup, Spring Lemon will check if that user exists. If not, the user will be created, with ADMIN rights.
Sending Emails
Spring Lemon comes with a MailSender service for sending emails. To configure that to use a real mail sending platform like GMail, add the following to application.yml:
spring:
mail:
host: smtp.gmail.com
username: [email protected]
password = xxxxxx
properties:
mail:
smtp:
auth: true
ssl.enable: true
socketFactory:
port: 465
class: javax.net.ssl.SSLSocketFactory
fallback: false
The above configuration works with Gmail, provided you have enabled Google 2-step Verification, and the password is an application password. The properties might differ for other services.
If you skip the above configuration, Spring Lemon will just write the email verification and forgot password mails onto the log, which may be fine for a demo.
Spring Lemon flags
Spring Lemon provides some flags to disable certain of its features. Defaults would be fine for most of the applications. But, just to give you an example, if your API is not going to be used in browsers, add the following property to application.yml:
lemon.enabled.json-prefix: false
This will disable the protection against JSON vulnerability.
To know about all the Spring Lemon configuration options and flags, refer the documentation and resources.