Retrieve User Information in Spring Security

We rely on other people’s code in our own work. Every day.

It might be the language you’re writing in, the framework you’re building on, or some esoteric piece of software that does one thing so well you never found the need to implement it yourself.

The problem is, of course, when things fall apart in production - debugging the implementation of a 3rd party library you have no intimate knowledge of is, to say the least, tricky.

Lightrun is a new kind of debugger.

It's one geared specifically towards real-life production environments. Using Lightrun, you can drill down into running applications, including 3rd party dependencies, with real-time logs, snapshots, and metrics.

>> Learn more in this quick, 5-minute Lightrun tutorial

The AI Assistant to boost Boost your productivity writing unit tests - Machinet AI.

AI is all the rage these days, but for very good reason. The highly practical coding companion, you'll get the power of AI-assisted coding and automated unit test generation.
Machinet's Unit Test AI Agent utilizes your own project context to create meaningful unit tests that intelligently aligns with the behavior of the code.
And, the AI Chat crafts code and fixes errors with ease, like a helpful sidekick.

Simplify Your Coding Journey with Machinet AI:

>> Install Machinet AI in your IntelliJ

Looking for the ideal Linux distro for running modern Spring apps in the cloud?

Meet Alpaquita Linux: lightweight, secure, and powerful enough to handle heavy workloads.

This distro is specifically designed for running Java apps. It builds upon Alpine and features significant enhancements to excel in high-density container environments while meeting enterprise-grade security standards.

Specifically, the container image size is ~30% smaller than standard options, and it consumes up to 30% less RAM:

>> Try Alpaquita Containers now.

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

The Jet Profiler was built for MySQL only, so it can do things like real-time query performance, focus on most used tables or most frequent queries, quickly identify performance issues and basically help you optimize your queries.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

DbSchema is a super-flexible database designer, which can take you from designing the DB with your team all the way to safely deploying the schema.

The way it does all of that is by using a design model, a database-independent image of the schema, which can be shared in a team using GIT and compared or deployed on to any database.

And, of course, it can be heavily visual, allowing you to interact with the database using diagrams, visually compose queries, explore the data, generate random data, import data or build HTML5 database reports.

>> Take a look at DBSchema

1. Overview

This tutorial will show how to retrieve the user details in Spring Security.

The currently authenticated user is available through a number of different mechanisms in Spring. Let’s cover the most common solution first — programmatic access.

Keep Track of Logged in Users With Spring Security

A quick guide to track logged in users in an application built using Spring Security.

Spring Security - Roles and Privileges

How to map Roles and Privileges for a Spring Security application: the setup, the authentication and the registration process.

Spring Security – Reset Your Password

Every app should enable users to change their own password in case they forget it.

2. Get the User in a Bean

The simplest way to retrieve the currently authenticated principal is via a static call to the SecurityContextHolder:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();

An improvement to this snippet is first checking if there is an authenticated user before trying to access it:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (!(authentication instanceof AnonymousAuthenticationToken)) {
    String currentUserName = authentication.getName();
    return currentUserName;
}

There are of course downsides to having a static call like this, and decreased testability of the code is one of the more obvious. Instead, we’ll explore alternative solutions for this very common requirement.

3. Get the User in a Controller

We have additional options in a @Controller annotated bean.

We can define the principal directly as a method argument, and it will be correctly resolved by the framework:

@Controller
public class GetUserWithPrincipalController {

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String currentUserName(Principal principal) {
        return principal.getName();
    }
}

Alternatively, we can also use the authentication token:

@Controller
public class GetUserWithAuthenticationController {

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String currentUserName(Authentication authentication) {
        return authentication.getName();
    }
}

The API of the Authentication class is very open so that the framework remains as flexible as possible. Because of this, the Spring Security principal can only be retrieved as an Object and needs to be cast to the correct UserDetails instance:

UserDetails userDetails = (UserDetails) authentication.getPrincipal();
System.out.println("User has authorities: " + userDetails.getAuthorities());

Also, here’s directly from the HTTP request:

@Controller
public class GetUserWithHTTPServletRequestController {

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String currentUserNameSimple(HttpServletRequest request) {
        Principal principal = request.getUserPrincipal();
        return principal.getName();
    }
}

Finally, we can use the @AuthenticationPrincipal annotation to get the currently authenticated user details:

@RestController
public class GetUserWithAuthenticationPrincipalAnnotationController {
    
    @GetMapping("/user")
    public String getUser(@AuthenticationPrincipal UserDetails userDetails) {
        return "User Details: " + userDetails.getUsername();
    }
}

Here, the @AuthenticationPrincipal annotation injects the currently authenticated user’s UserDetails into the method. This annotation helps resolve Authentication.getPrincipal() to a method argument.

Additionally, when we annotate a method parameter with @AuthenticationPrincipal, Spring Security automatically provides the principal of the currently authenticated user. The principal represents the user’s identity, which can be the username, a user object, or any form of user identification.

4. Get the User via a Custom Interface

To fully leverage the Spring dependency injection and be able to retrieve the authentication everywhere, not just in @Controller beans, we need to hide the static access behind a simple facade:

public interface IAuthenticationFacade {
    Authentication getAuthentication();
}
@Component
public class AuthenticationFacade implements IAuthenticationFacade {

    @Override
    public Authentication getAuthentication() {
        return SecurityContextHolder.getContext().getAuthentication();
    }
}

The facade exposes the Authentication object while hiding the static state and keeping the code decoupled and fully testable:

@Controller
public class GetUserWithCustomInterfaceController {
    @Autowired
    private IAuthenticationFacade authenticationFacade;

    @RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String currentUserNameSimple() {
        Authentication authentication = authenticationFacade.getAuthentication();
        return authentication.getName();
    }
}

5. Get the User in JSP

The currently authenticated principal can also be accessed in JSP pages, by leveraging the Spring Security Taglib support.

First, we need to define the tag in the page:

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Next, we can refer to the principal:

<security:authorize access="isAuthenticated()">
    authenticated as <security:authentication property="principal.username" /> 
</security:authorize>

6. Get the User in Thymeleaf

Thymeleaf is a modern, server-side web templating engine, with good integration with the Spring MVC framework.

Let’s see how to access the currently authenticated principal in a page with Thymeleaf engine.

First, we need to add the thymeleaf-spring5 and the thymeleaf-extras-springsecurity5 dependencies to integrate Thymeleaf with Spring Security:

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf-spring5</artifactId>
</dependency>

Now we can refer to the principal in the HTML page using the sec:authorize attribute:

<html xmlns:th="https://www.thymeleaf.org" 
  xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
<body>
    <div sec:authorize="isAuthenticated()">
      Authenticated as <span sec:authentication="name"></span></div>
</body>
</html>

7. Conclusion

This article showed how to get the user information in a Spring application, starting with the common static access mechanism, followed by several better ways to inject the principal.

As always, the implementation of these examples can be found over on GitHub. This is an Eclipse-based project, so it should be easy to import and run as it is. When running the project locally, we can access the homepage HTML here:

http://localhost:8080/spring-security-rest-custom/foos/1

Retrieve User Information in Spring Security

**I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:**

1. Overview

Further reading:

Keep Track of Logged in Users With Spring Security

Spring Security - Roles and Privileges

Spring Security – Reset Your Password

2. Get the User in a Bean

3. Get the User in a Controller

4. Get the User via a Custom Interface

5. Get the User in JSP

6. Get the User in Thymeleaf

7. Conclusion

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

REST with Spring

Learn Spring Security ▼▲

Learn Spring Security Core

Learn Spring Security OAuth

Learn Spring

Learn Spring Data JPA

Persistence

REST

Security

Full Archive

Baeldung Ebooks

About Baeldung

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

1. Overview

Further reading:

Keep Track of Logged in Users With Spring Security

Spring Security - Roles and Privileges

Spring Security – Reset Your Password

2. Get the User in a Bean

3. Get the User in a Controller

4. Get the User via a Custom Interface

5. Get the User in JSP

6. Get the User in Thymeleaf

7. Conclusion

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

**I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:**