Spring Security - How to Access User Roles in JSP

In this short article, I show you how to access currently logged-in user roles in the JSP page using Spring security.
At the server side, we basically implement UserDetailsService interface to retrieve the user’s authentication and authorization information from the database.
The code snippet to retrieve user authentication and authorization information from the database:
@Service("userDetailsService")
public class MyUserDetailsService implements UserDetailsService {

    //get user from the database, via Hibernate
    @Autowired
    private UserDao userDao;

    @Transactional(readOnly = true)
    @Override
    public UserDetails loadUserByUsername(final String username)
    throws UsernameNotFoundException {
        //CUSTOM USER HERE vvv
        User user = userDao.findByUserName(username);
        List < GrantedAuthority > authorities =
            buildUserAuthority(user.getUserRole());
        //if you're implementing UserDetails you wouldn't need to call this method and instead return the User as it is
        //return buildUserForAuthentication(user, authorities);
        return user;

    }

    // Converts user to spring.springframework.security.core.userdetails.User
    private User buildUserForAuthentication(user,
        List < GrantedAuthority > authorities) {
        return new User(user.getUsername(), user.getPassword(),
            user.isEnabled(), true, true, true, authorities);
    }

    private List < GrantedAuthority > buildUserAuthority(Set < UserRole > userRoles) {

        Set < GrantedAuthority > setAuths = new HashSet < GrantedAuthority > ();

        // add user's authorities
        for (UserRole userRole: userRoles) {
            setAuths.add(new SimpleGrantedAuthority(userRole.getRole()));
        }

        List < GrantedAuthority > Result = new ArrayList < GrantedAuthority > (setAuths);

        return Result;
    }
}
So we can easily access principle in JSP. Note that the principal refers to your UserDetails object if you inspect that object the roles are stored under public Collection getAuthorities() { .. }.

Access User Roles in JSP using Spring Security

Spring Security has its own spring-security-taglibs library, which provides basic support for accessing security information and applying security constraints in JSPs.
Follow below steps to get access role in JSP using spring security.

1. Maven Dependencies

First of all, let’s add the spring-security-taglibs dependency to our pom.xml:
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>5.1.5.RELEASE</version>
</dependency>

Declaring the Taglibs

Now, before we can use the tags, we need to import the taglib at the top of our JSP file:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
After adding this, we’ll be able to specify Spring Security’s tags with the sec prefix.

Print User Roles in JSP Page

Let's print the roles on the screen:
<sec:authentication property="principal.authorities"/>

Access Expressions

In our applications, we might have information which should be shown only for certain roles or users.
When this is the case, we can use the authorize tag:
<sec:authorize access="!isAuthenticated()">
  Login
</sec:authorize>
<sec:authorize access="isAuthenticated()">
  Logout
</sec:authorize>
Furthermore, we can check if an authenticated user has specific roles:
<sec:authorize access="hasRole('ADMIN')">
    Manage Users
</sec:authorize>

Display Logged in User in JSP

We can use the authentication tag to display details about the logged in user:
<sec:authorize access="isAuthenticated()">
    Welcome Back, <sec:authentication property="name"/>
</sec:authorize>
Learn Spring security at https://www.javaguides.net/p/spring-security-tutorial.html.
Learn JSP at https://www.javaguides.net/p/jsp-tutorial.html.

Comments