Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:
Once the early-adopter seats are all used, the price will go up and stay at $33/year.
Retrieve User Information in Spring Security
Last updated: August 27, 2023
Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.
Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.
To learn more about Java features on Azure Container Apps, visit the documentation page.
You can also ask questions and leave feedback on the Azure Container Apps GitHub page.
Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.
Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.
To learn more about Java features on Azure Container Apps, you can get started over on the documentation page.
And, you can also ask questions and leave feedback on the Azure Container Apps GitHub page.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
All Access is finally out, with all of my Spring courses. Learn JUnit is out as well, and Learn Maven is coming fast. And, of course, quite a bit more affordable. Finally.
>> GET THE COURSE
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
End-to-end testing is a very useful method to make sure that your application works as intended. This highlights issues in the overall functionality of the software, that the unit and integration test stages may miss.
Playwright is an easy-to-use, but powerful tool that automates end-to-end testing, and supports all modern browsers and platforms.
When coupled with LambdaTest (an AI-powered cloud-based test execution platform) it can be further scaled to run the Playwright scripts in parallel across 3000+ browser and device combinations:
Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:
Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITY1. Overview
This tutorial will show how to retrieve the user details in Spring Security.
The currently authenticated user is available through a number of different mechanisms in Spring. Let’s cover the most common solution first — programmatic access.
Further reading:
Keep Track of Logged in Users With Spring Security
A quick guide to track logged in users in an application built using Spring Security.
Spring Security - Roles and Privileges
How to map Roles and Privileges for a Spring Security application: the setup, the authentication and the registration process.
Spring Security – Reset Your Password
Every app should enable users to change their own password in case they forget it.
2. Get the User in a Bean
The simplest way to retrieve the currently authenticated principal is via a static call to the SecurityContextHolder:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();An improvement to this snippet is first checking if there is an authenticated user before trying to access it:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (!(authentication instanceof AnonymousAuthenticationToken)) {
String currentUserName = authentication.getName();
return currentUserName;
}There are, of course, downsides to having a static call like this and decreased testability of the code is one of the more obvious. Instead, we’ll explore alternative solutions for this very common requirement.
3. Get the User in a Controller
We have additional options in a @RestController annotated bean.
We can define the principal directly as a method argument, and the framework will correctly resolve it:
@RestController
public class GetUserWithPrincipalController {
@GetMapping(value = "/username")
public String currentUserName(Principal principal) {
return principal.getName();
}
}Alternatively, we can also use the authentication token:
@RestController
public class GetUserWithAuthenticationController {
@GetMapping(value = "/username")
public String currentUserName(Authentication authentication) {
return authentication.getName();
}
}The API of the Authentication class is very open so that the framework remains as flexible as possible. Because of this, the Spring Security principal can only be retrieved as an Object and needs to be cast to the correct UserDetails instance:
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
System.out.println("User has authorities: " + userDetails.getAuthorities());Also, here’s directly from the HTTP request:
@RestController
public class GetUserWithHTTPServletRequestController {
@GetMapping(value = "/username")
public String currentUserNameSimple(HttpServletRequest request) {
Principal principal = request.getUserPrincipal();
return principal.getName();
}
}Finally, we can use the @AuthenticationPrincipal annotation to get the currently authenticated user details:
@RestController
public class GetUserWithAuthenticationPrincipalAnnotationController {
@GetMapping("/user")
public String getUser(@AuthenticationPrincipal UserDetails userDetails) {
return "User Details: " + userDetails.getUsername();
}
}Here, the @AuthenticationPrincipal annotation injects the currently authenticated user’s UserDetails into the method. This annotation helps resolve Authentication.getPrincipal() to a method argument.
Additionally, when we annotate a method parameter with @AuthenticationPrincipal, Spring Security automatically provides the principal of the currently authenticated user. The principal represents the user’s identity, which can be the username, a user object, or any form of user identification.
4. Get the User via a Custom Interface
To fully leverage the Spring dependency injection and be able to retrieve the authentication everywhere, not just in @RestController beans, we need to hide the static access behind a simple facade:
public interface IAuthenticationFacade {
Authentication getAuthentication();
}
@Component
public class AuthenticationFacade implements IAuthenticationFacade {
@Override
public Authentication getAuthentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
}The facade exposes the Authentication object while hiding the static state and keeping the code decoupled and fully testable:
@RestController
public class GetUserWithCustomInterfaceController {
@Autowired
private IAuthenticationFacade authenticationFacade;
@GetMapping(value = "/username")
public String currentUserNameSimple() {
Authentication authentication = authenticationFacade.getAuthentication();
return authentication.getName();
}
}5. Get the User in JSP
We can access the currently authenticated principal from JSP pages by leveraging the Spring Security Taglib support.
First, we need to define the tag on the page:
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>Next, we can refer to the principal:
<security:authorize access="isAuthenticated()">
authenticated as <security:authentication property="principal.username" />
</security:authorize>6. Get the User in Thymeleaf
Thymeleaf is a modern, server-side web templating engine with good integration with the Spring MVC framework.
Let’s see how to access the currently authenticated principal on a page with the Thymeleaf engine.
First, we need to add the thymeleaf-spring6 and the thymeleaf-extras-springsecurity6 dependencies to integrate Thymeleaf with Spring Security:
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring6</artifactId>
</dependency>Now we can refer to the principal in the HTML page using the sec:authorize attribute:
<html xmlns:th="https://www.thymeleaf.org"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
<body>
<div sec:authorize="isAuthenticated()">
Authenticated as <span sec:authentication="name"></span></div>
</body>
</html>7. Conclusion
This article showed how to get the user information in a Spring application, starting with the common static access mechanism, followed by several better ways to inject the principal.
The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
http://localhost:8080/spring-security-rest-custom/foos/1
