1. Introduction

In Spring Security, sometimes it is necessary to check if an authenticated user has a specific role. This can be useful to enable or disable particular features in our applications.

In this tutorial, we'll see various ways to check user roles in Java for Spring Security.

2. Checking User Role in Java

Spring Security provides several ways to check user roles in Java code. We'll look at each of them below.

2.1. @PreAuthorize

The first way to check for user roles in Java is to use the @PreAuthorize annotation provided by Spring Security. This annotation can be applied to a class or method, and it accepts a single string value that represents a SpEL expression.

Before we can use this annotation, we must first enable global method security. This can be done in Java code by adding the @EnableGlobalMethodSecurity annotation to any configuration class.

Then, Spring Security provides two expressions we can use with the @PreAuthorize annotation to check user roles:

@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/user/{id}")
public String getUser(@PathVariable("id") String id) {
    ...
}

We can also check multiple roles in a single expression:

@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_MANAGER')")
@GetMapping("/users")
public String getUsers() {
    ...
}

In this case, the request will be allowed if the user has any of the specified roles.

If the method is called without having the proper role, Spring Security throws an exception and redirects to the error page.

2.2. SecurityContext

The next way we can check for user roles in Java code is with the SecurityContext class.

By default, Spring Security uses a thread-local copy of this class. This means each request in our application has its security context that contains details of the user making the request.

To use it, we simply call the static methods in SecurityContextHolder:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null && auth.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ADMIN"))) {
    ...
}

Note that we're using the plain authority name here instead of the full role name.

This works well when we need more fine-grained checks — for example, a specific part of a single method. However, this approach will not work if we use the global context holder mode in Spring Security.

2.3. UserDetailsService

The third way we can lookup user roles in Java code is by using the UserDetailsService. This a bean we can inject anywhere into our application and call it as needed:

@GetMapping("/users")
public String getUsers() {
    UserDetails details = userDetailsService.loadUserByUsername("mike");
    if (details != null && details.getAuthorities().stream()
      .anyMatch(a -> a.getAuthority().equals("ADMIN"))) {
        // ...
    }
}

Again, we must use the authority name here, not the full role name with prefix.

The benefit of this approach is that we can check roles for any user, not just the one who made the request.

2.4. Servlet Request

If we're using Spring MVC, we can also check user roles in Java using the HttpServletRequest class:

@GetMapping("/users")
public String getUsers(HttpServletRequest request) {
    if (request.isUserInRole("ROLE_ADMIN")) {
        ...
    }
}

3. Conclusion

In this article, we have seen several different ways to check for roles using Java code with Spring Security.

As always, the code examples from this article can be found over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Comments are closed on this article!