In this short article, I show you how to access currently logged-in user roles in the JSP page using Spring security.
At the server side, we basically implement UserDetailsService interface to retrieve the user’s authentication and authorization information from the database.
The code snippet to retrieve user authentication and authorization information from the database:
@Service("userDetailsService")
public class MyUserDetailsService implements UserDetailsService {
//get user from the database, via Hibernate
@Autowired
private UserDao userDao;
@Transactional(readOnly = true)
@Override
public UserDetails loadUserByUsername(final String username)
throws UsernameNotFoundException {
//CUSTOM USER HERE vvv
User user = userDao.findByUserName(username);
List < GrantedAuthority > authorities =
buildUserAuthority(user.getUserRole());
//if you're implementing UserDetails you wouldn't need to call this method and instead return the User as it is
//return buildUserForAuthentication(user, authorities);
return user;
}
// Converts user to spring.springframework.security.core.userdetails.User
private User buildUserForAuthentication(user,
List < GrantedAuthority > authorities) {
return new User(user.getUsername(), user.getPassword(),
user.isEnabled(), true, true, true, authorities);
}
private List < GrantedAuthority > buildUserAuthority(Set < UserRole > userRoles) {
Set < GrantedAuthority > setAuths = new HashSet < GrantedAuthority > ();
// add user's authorities
for (UserRole userRole: userRoles) {
setAuths.add(new SimpleGrantedAuthority(userRole.getRole()));
}
List < GrantedAuthority > Result = new ArrayList < GrantedAuthority > (setAuths);
return Result;
}
}
So we can easily access principle in JSP. Note that the principal refers to your UserDetails object if you inspect that object the roles are stored under public Collection getAuthorities() { .. }.
Access User Roles in JSP using Spring Security
Spring Security has its own spring-security-taglibs library, which provides basic support for accessing security information and applying security constraints in JSPs.
Follow below steps to get access role in JSP using spring security.
1. Maven Dependencies
First of all, let’s add the spring-security-taglibs dependency to our pom.xml:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
Declaring the Taglibs
Now, before we can use the tags, we need to import the taglib at the top of our JSP file:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
After adding this, we’ll be able to specify Spring Security’s tags with the sec prefix.
Print User Roles in JSP Page
Let's print the roles on the screen:
<sec:authentication property="principal.authorities"/>
Access Expressions
In our applications, we might have information which should be shown only for certain roles or users.
When this is the case, we can use the authorize tag:
<sec:authorize access="!isAuthenticated()">
Login
</sec:authorize>
<sec:authorize access="isAuthenticated()">
Logout
</sec:authorize>
Furthermore, we can check if an authenticated user has specific roles:
<sec:authorize access="hasRole('ADMIN')">
Manage Users
</sec:authorize>
Display Logged in User in JSP
We can use the authentication tag to display details about the logged in user:
<sec:authorize access="isAuthenticated()">
Welcome Back, <sec:authentication property="name"/>
</sec:authorize>Related Tutorials
Free Spring Boot Tutorial | Full In-depth Course | Learn Spring Boot in 10 Hours
Watch this course on YouTube at Spring Boot Tutorial | Fee 10 Hours Full Course