how to conditionally show jsp content to logged in users with Spring security

Question

I want to show content to any user that is logged in and to hide if they are not logged in. I'm using jsp's and spring security.

Obviously a home grown solution is easily done. But what's the cleanest standard way of achieving this?

Spring security tags don't seem to have nice way that will allow for the addition of new roles in the future.

Answer 1

I've had success with the following:

    <sec:authorize ifAnyGranted="ROLE_ANONYMOUS">
        <td><a href="<c:url value="/login.htm"/>">Login</a></td>
    </sec:authorize>
    <sec:authorize ifNotGranted="ROLE_ANONYMOUS">
        <td><a href="<c:url value="/j_spring_security_logout"/>">Logout</a></td>
    </sec:authorize>

New roles can be added without affecting the logic here.

---

To bring this answer up to date with Spring Security 3, using the isAnonymous() and isAuthenticated() expressions have worked well in combination thus far to achieve the same thing. Here's an example:

<sec:authorize access="isAnonymous()">
    <form method="POST" action="<c:url value='j_spring_security_check'/>">
        Username: <input name="j_username" type="text" value="${SPRING_SECURITY_LAST_USERNAME}" /> 
        Password: <input name="j_password" type="password" /> 
        <input type="submit" value="Sign in" />
    </form>
</sec:authorize>
<sec:authorize access="isAuthenticated()">
    <a href="<c:url value="/j_spring_security_logout" />">Logout</a>
</sec:authorize>

Answer 2

The current version (3.1 perhaps even earlier) supports var parameters for saving the result into an attribute. By that you can code the following:

<sec:authorize var="loggedIn" access="isAuthenticated()" />
<c:choose>
    <c:when test="${loggedIn}">
        You are loged in
    </c:when>
    <c:otherwise>
        You are logged out
    </c:otherwise>
</c:choose>

Answer 3

You can use Spring EL in the tag <sec:authorize />, like this:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<sec:authorize access="isAuthenticated()">
   YES, you are logged in!
</sec:authorize>

Answer 4

How 'bout this? - Spring 2.5 compliant ;-)

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

<security:authorize ifAllGranted="ROLE_USER">
   Welcome <%= request.getUserPrincipal().getName() %>
   <a href="<c:url value="/j_spring_security_logout"/>">Logout</a><br/>
</security:authorize>

Answer 5

How about:

<%@ taglib uri="http://acegisecurity.org/authz" prefix="authz" %>

<c:set var="authenticated" value="${false}"/>
<authz:authorize ifAllGranted="ROLE_USER">
    <c:set var="authenticated" value="${true}"/>
</authz:authorize>

<c:if test="${authenticated}">
<!-- your secure content here -->
</c:if>

Answer 6

the simplest i used to code this...

<%
if (request.getRemoteUser()== null) {%>  
    <!-- put public-only information-->
<%}%>

Answer 7

Here's how I am doing this:

<%@ page import="org.springframework.security.context.SecurityContextHolder" %>

<c:if test="<%=SecurityContextHolder.getContext().getAuthentication() != null %>">
    <!-- your secure content here -->
</c:if>

Let me know if this works for you too...

-aj

Answer 8

you can use this inside jsp spring security tag

request.getUserPrincipal().getName()