how to conditionally show jsp content to logged in users with Spring security

I want to show content to any user that is logged in and to hide if they are not logged in. I'm using jsp's and spring security.

Obviously a home grown solution is easily done. But what's the cleanest standard way of achieving this?

Spring security tags don't seem to have nice way that will allow for the addition of new roles in the future.

Here's how I am doing this:

<%@ page import="org.springframework.security.context.SecurityContextHolder" %>

<c:if test="<%=SecurityContextHolder.getContext().getAuthentication() != null %>">
<!-- your secure content here -->
</c:if>


Let me know if this works for you too...


-aj

How about:

<%@ taglib uri="http://acegisecurity.org/authz" prefix="authz" %>

<c:set var="authenticated" value="${false}"/>
<authz:authorize ifAllGranted="ROLE_USER">
<c:set var="authenticated" value="${true}"/>
</authz:authorize>

<c:if test="${authenticated}">
<!-- your secure content here -->
</c:if>

How 'bout this? - Spring 2.5 compliant ;-)

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

<security:authorize ifAllGranted="ROLE_USER">
Welcome <%= request.getUserPrincipal().getName() %>
<a href="<c:url value="/j_spring_security_logout"/>">Logout</a><br/>
</security:authorize>

You can use Spring EL in the tag `<sec:authorize />`, like this:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<sec:authorize access="isAuthenticated()">
YES, you are logged in!
</sec:authorize>

I've had success with the following:

<sec:authorize ifAnyGranted="ROLE_ANONYMOUS">
<td><a href="<c:url value="/login.htm"/>">Login</a></td>
</sec:authorize>
<sec:authorize ifNotGranted="ROLE_ANONYMOUS">
<td><a href="<c:url value="/j_spring_security_logout"/>">Logout</a></td>
</sec:authorize>

New roles can be added without affecting the logic here.


----------

To bring this answer up to date with Spring Security 3, using the `isAnonymous()` and `isAuthenticated()` expressions have worked well in combination thus far to achieve the same thing. Here's an example:

<sec:authorize access="isAnonymous()">
<form method="POST" action="<c:url value='j_spring_security_check'/>">
Username: <input name="j_username" type="text" value="${SPRING_SECURITY_LAST_USERNAME}" />
Password: <input name="j_password" type="password" />
<input type="submit" value="Sign in" />
</form>
</sec:authorize>
<sec:authorize access="isAuthenticated()">
<a href="<c:url value="/j_spring_security_logout" />">Logout</a>
</sec:authorize>

the simplest i used to code this...

<%
if (request.getRemoteUser()== null) {%>
<!-- put public-only information-->
<%}%>

you can use this inside jsp spring security tag

request.getUserPrincipal().getName()

The current version (3.1 perhaps even earlier) supports var parameters for saving the result into an attribute. By that you can code the following:

<sec:authorize var="loggedIn" access="isAuthenticated()" />
<c:choose>
<c:when test="${loggedIn}">
You are logged in
</c:when>
<c:otherwise>
You are logged out
</c:otherwise>
</c:choose>