Get Spring Security Principal in JSP EL expression

2020-02-07 18:10发布

站内问答 / Java
1777 10 6

I am using Spring MVC and Spring Security version 3.0.6.RELEASE. What is the easiest way to get the user name in my JSP? Or even just whether or not the user is logged in? I can think of a couple ways:

1. Using a scriptlet

Using a scriptlet like this to determine if the user is logged in: 

<%=org.springframework.security.core.context.SecurityContextHolder.getContext()
    .getAuthentication().getPrincipal().equals("anonymousUser")
    ? "false":"true"%>

I'm not a fan of using scriptlets, though, and I want to use this in some <c:if> tags, which requires putting it back as a page attribute.

2. Using SecurityContextHolder

I could again use SecurityContextHolder from my @Controller and put it on the model. I need this on every page, though, so I'd rather not have to add this logic in every one of my Controllers.

I suspect there's a cleaner way to do this...

10条回答
Juvenile、少年°
2楼-- · 2020-02-07 18:22

I think <sec:authentication property="principal.username" /> will not always work because type returned by Authentication.getPrincipal() is Object, ie: it could be a UserDetail (for which the above will work), a String or anything else.

For purpose of displaying username in JSP page what I find more reliable is using ${pageContext.request.userPrincipal.name}.

This uses java.security.Principal.getName() which returns String.

查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
3楼-- · 2020-02-07 18:24

I know there are other answers in the thread, but none have answered how you can check if user is authenticated. So I'm sharing what my code look likes.

Include the tag lib in your project:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

Then create a user object in current scope by adding:

<sec:authentication var="user" property="principal" />

Then you can easily show the username by adding. Remember the 'principal' object is generally of type string unless you have implemented the spring security in a way to change it to another Class in your project:

<sec:authorize access="hasRole('ROLE_USER') and isAuthenticated()">
${user}
</sec:authorize>

I hope this helps somebody looking to check user roles.

If you are using Maven, then add the dependency tag as mentioned by Christian Vielma in this thread.

Thanks!

查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
4楼-- · 2020-02-07 18:24

As far as I know by default Spring Security 3.0.x installs a SecurityContextHolderRquestAwareFilter, so that you can get the Authentication object by calling HttpServletRequest.getUserPrincipal(), and you can also query roles by calling HttpServletRequest.isUserInRole().

查看更多
0人赞 添加讨论(0) 举报
我想做一个坏孩纸
5楼-- · 2020-02-07 18:28

You can use like this: Spring Security Tag Lib - 3.1.3.RELEASE

<sec:authentication var="principal" property="principal" />

and Then:

${principal.username}
查看更多
0人赞 添加讨论(0) 举报
疯言疯语
6楼-- · 2020-02-07 18:29

Check Spring security tags : <sec:authentication property="principal.username" />

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html

And you can check if logged : 

<sec:authorize access="isAuthenticated()">

instead of c:if

查看更多
0人赞 添加讨论(0) 举报
Summer. ? 凉城
7楼-- · 2020-02-07 18:30

This works whether user is logged in or not, and works when using Anonymous Authentication:

<sec:authorize access="isAuthenticated()">
    <sec:authentication property="principal.username" var="username" />
</sec:authorize>
<sec:authorize access="!isAuthenticated()">
    <sec:authentication property="principal" var="username" />
</sec:authorize>

Later...

Hello ${username}
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)