One of the common feature of secure Java web application to show the username as link on the top right corner of web application once user successfully logged in. Some application also show the logout or sign-out link like that but how do you display the current user or principal name in a JSP page secured using Spring security library? Well, Spring Security provides a small but userful JSP tag library which contains custom tags similar to JSTL, which can show a lot of useful authentication and authorization details of current user. For example, you can use <s:authetication> tag to display the current principal details including the username of currently logged in user. The tag name is authentication here and s is the prefix you specify while importing tag using taglib directive in JSP.
The <authentication> tag exposes a couple of properties which can be used to access the details of currently authenticated principals details including roles and granted authorities. Here is a list of some of the useful properties of this spring security tag:
authorities
It provides a college of GrantedAuthority object that represent the privillegetgrated to the user.
credentials
It provides the credentials that were to used to verify the principal e.g. user's password.
details
It provide additional information about the authentication e.g. IP address, certification serial number and session id etc.
principal
This is the current logged in user's principal which contains username and other other user related details.
In this article, I'll show you how you can use spring security's tag library to display current user's detail e.g. username. Btw, this is my second article about spring security's tag library, in first article, I have explained how to show/hide portions of JSP based upon user's role. If you have not read it already you may find that useful too.
How to display username in JSP using Spring Security?
In order to use the Spring security tag library, first thing you need to do is add the spring-security-web.jar into your web application's classpath. For that, you can just drop that JAR in /WEB-INF/lib folder or you can use use Maven to create your .war file.
The JAR file contains both .tld files (tag library descriptor) and Java classes which provides the functionality exposed by tags.
Once the JAR file is added into classpath, you can import the tag library in your JSP page using taglib directive as shown below:
<@ taglib prefix="s" uri="https://www.springframework.org/security/tags" %>
Don't get confused that this will download tag details from https://www.springframework.org/security/tags, instead this URL is same as what you will find in the .tld files which are present in spring-security-web.jar file.
Once you have imported the tag library in JSP page, you are ready to use the tag with the specified prefix e.g. you can use the authentication tag as <s:authetication>.
In order to display the current user's name we just need to access principal property of authentication tag and then access the nested username property as shown below:
Welcome <s:authetication property="principal.username" />!
The property attribute identifies a property for the user's authentication object. The properties available will vary depending on how the user was authenticated, but you can assume that some of the essential property will always available e.g. principal.
In this example, <s:authetication> will render the property's value in the JSP, but if you want to store that value in a variable, you can still do that by using another attribute called "var". Here is the snippet to do exactly that:
<s:authetication property="principal.username" var="UserId"/>
Here the value of principal.username will be saved in a variable called "UserId". By default, this variable is created in the page scope but you can also create it in the request or session scope by specify the scope attribute. For example, to create this variable in session scope you can use following snippet:
<s:authetication property="principal.username" var="UserId" scope="session"/>
This means the UserId variable will be available in session and any page can access it from the session as well.
The <authentication> tag is useful but it's just the tip of iceberg in terms of spring security's tag library capability.
In next article, I'll talk about other two tags i.e. authorize and accesscontrolist to conditionally render view based upon user's privileges but if you can wait till then checkout Eugen Paraschiv Spring Security Master class to learn about them. Eugen has explained Spring security in depth with his real world experience in security Java application.
That's all about how to retrieve username in a JSP page using Spring security tag library. As I have said before, even though Spring security's tag library is small, just contains 3 tags, authentication, accesscontrolist, and authorize, its very powerful and allow you to do a lot of sophisticated stuff in view part of your application.
No comments:
Post a Comment