Spring Security JSP Tag Library How to Secure JSP Pages with Examples (original) (raw)
Last Updated : 9 Oct, 2025
Spring Security provides a powerful JSP Tag Library that allows developers to manage authentication and authorization directly in JSP files. This enables role-based access control, displaying user information, and protecting forms without writing Java code in the JSP.
**Prerequisites
- Java 11 or later
- Maven or Gradle
- Spring Boot with Spring Security (Latest version: 6.x)
- JSP and Servlet API
Step 1: Add Spring Security Dependencies
Add the following dependencies to your **pom.xml:
org.springframework.security
spring-security-web
6.2.0
org.springframework.security
spring-security-taglibs
6.2.0
The spring-security-taglibs dependency provides the JSP tag library required for securing pages.
Step 2: Configure Spring Security
**Java Config (Recommended for Spring Security 6+):
Java `
@Configuration @EnableWebSecurity public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/home")
)
.logout(logout -> logout
.logoutSuccessUrl("/login?logout")
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails admin = User.withUsername("admin")
.password("{noop}admin123") // For demo only, use BCryptPasswordEncoder in production
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(admin);
}}
`
**Legacy XML Configuration (Optional):
XML `
`
Step 3: Use Spring Security Tags in JSP
Add the tag library declaration at the top of your JSP:
HTML `
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
`
**1. Role-Based Access (authorize)
HTML `
<sec:authorize access="hasRole('ADMIN')">
Admin-only content!
Admin Dashboard`
**2. Display User Info (authentication)
HTML `
Welcome, <sec:authentication property="name"/>! Your roles: <sec:authentication property="authorities"/>
`
**3. CSRF Protection (csrfInput)
HTML `
Submit`
**4. Logout Button (logout)
<sec:authorize access="isAuthenticated()">
<sec:csrfInput />
Logout
Other Useful JSP Security Tags
- **sec:authorize: Controls access to parts of a page based on roles or authentication
- **sec:authentication: Displays information about the current user (username, roles)
- **sec:csrfInput: Generates a hidden input field with the CSRF token for forms
- **sec:csrfMetaTags: Adds CSRF tokens as meta tags for JavaScript usage
- **sec:http: Generates HTTP method input fields for forms
- **sec:logout: Creates a logout link/button
- **sec:accessDenied: Displays content when a user is not authorized to access a page
Complete Example: Admin Dashboard
**admin.jsp:
XML `
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
Admin PanelAdmin Dashboard
Logged in as:
Logout`
- Only users with the ADMIN role can view the dashboard content.
- The page displays the logged-in username and provides a secure logout button.
- CSRF tokens are automatically included in forms using <sec:csrfInput />.
- Secure pages without writing Java code in JSP.
- Role-based content rendering is straightforward.
- Simplifies CSRF protection in forms.
- Enables easy display of user information (username, roles).
- Integrates seamlessly with Spring Security authentication and authorization.