Spring Security Redirect Users After Login Based on Roles

Details
Written by  
Last Updated on 08 May 2021   |   Print  Email


In this Spring Security post, I’d like to share the steps and code examples on how to redirect authenticated users based on their roles in a Java Spring Boot web application. For example, when an Admin user logs in, he will see the Admin dashboard page. Likewise, a user with role Editor will see Editor dashboard page upon successful authentication. And so on for different users with different roles.

Suppose that you’re developing a Java web application based on Spring Boot Web, Spring Data JPA, Hibernate, Spring Security, Thymeleaf and MySQL database – with user authentication and role-based authorization already implemented.

 

1. Implement hasRole method in User class

The application will need to check if the currently logged-in user has a specific role or not. So code the hasRole()method in the User entity class as follows:

package net.codejava;

import java.util.*;
import javax.persistence.*;

@Entity
@Table(name = "users")
public class User {
	
	@ManyToMany(cascade = CascadeType.PERSIST, fetch = FetchType.EAGER)
	@JoinTable(
			name = "users_roles",
			joinColumns = @JoinColumn(name = "user_id"),
			inverseJoinColumns = @JoinColumn(name = "role_id")
			)
	private Set<Role> roles = new HashSet<>();
	
	public boolean hasRole(String roleName) {
		Iterator<Role> iterator = this.roles.iterator();
		while (iterator.hasNext()) {
			Role role = iterator.next();
			if (role.getName().equals(roleName)) {
				return true;
			}
		}
		
		return false;
	}
	
	// other fields, getters and setters are not shown for brevity
}
The hasRole() method will return true if the user is assigned with the specified role, or false otherwise. And also update your custom UserDetails class – adding the hasRole() method as shown below:

package net.codejava;

public class CustomUserDetails implements UserDetails {
	private User user;
	
	public CustomUserDetails(User user) {
		this.user = user;
	}

	@Override
	public Collection<? extends GrantedAuthority> getAuthorities() {
		Set<Role> roles = user.getRoles();
		List<SimpleGrantedAuthority> authorities = new ArrayList<>();
		
		for (Role role : roles) {
			authorities.add(new SimpleGrantedAuthority(role.getName()));
		}
		return authorities;
	}

	
	public boolean hasRole(String roleName) {
		return this.user.hasRole(roleName);
	}
	
	// other overriden methods are not shown
}
Spring Security will return a new instance of this UserDetails class upon successful authentication. This class wraps an instance of User so the hasRole() method here simply delegates the call to the User class.


2. Code Authentication Success Handler

Next, code a class that extends an implementation of AuthenticationSuccessHandler, such as SavedRequestAwareAuthenticationSuccessHander like the following code:

package net.codejava;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

@Component
public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws ServletException, IOException {

		CustomUserDetails userDetails = (CustomUserDetails) authentication.getPrincipal();
		
		String redirectURL = request.getContextPath();
		
		if (userDetails.hasRole("Salesperson")) {
			redirectURL = "sales_home";
		} else if (userDetails.hasRole("Editor")) {
			redirectURL = "editor_home";
		} else if (userDetails.hasRole("Shipper")) {
			redirectURL = "shipper_home";
		}
		
		response.sendRedirect(redirectURL);
		
	}

}
You know, the onAuthenticationSuccess() method will be invoked by Spring Security upon user’s successful login. So it’s very logically to put the redirection code in this method, for redirecting the authenticated users based on their roles. The code example is self-explanatory so I don’t have to explain further.


3. Configure Spring Security to Use Success Handler

And update the Spring Security configuration class to use the authentication success handler class as follows:

package com.shopme.admin.security;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


	@Override
	protected void configure(HttpSecurity http) throws Exception {

		http.authorizeRequests()
			.anyRequest().authenticated()
			.and()
			.formLogin()
				.loginPage("/login")
				.usernameParameter("email")
				.successHandler(loginSuccessHandler)
				.permitAll()
			.and()
			.logout().permitAll();
	}
	
	@Autowired private LoginSuccessHandler loginSuccessHandler;
}


To learn more about using authentication success handler, refer to this article: Spring Security Authentication Success Handler Examples.


4. Update View Layer

This part is optional. If the role-based view pages (editor home, admin dashboard, etc) do not have corresponding handler methods in controller layer, you can configure the view name resolution in a Spring MVC configuration as follows:

package net.codejava;

@Configuration
public class MvcConfig implements WebMvcConfigurer {

	@Override
	public void addViewControllers(ViewControllerRegistry registry) {
		registry.addViewController("/").setViewName("index");
		registry.addViewController("/sales_home").setViewName("sales_home");
		registry.addViewController("/editor_home").setViewName("editor_home");
		registry.addViewController("/shipper_home").setViewName("shipper_home");
	}

}
That’s all about how to redirect users based on roles in a Java web application based on Spring Boot and Spring Security. I hope you found this article helpful.

To see the coding in action, I recommend you to watch the following video:

 

Related Spring Security Tutorials:

 

Other Spring Boot Tutorials:


About the Author:

is certified Java programmer (SCJP and SCWCD). He started programming with Java in the time of Java 1.4 and has been falling in love with Java since then. Make friend with him on Facebook and watch his Java videos you YouTube.



Add comment

   


Comments 

#3Leo2023-09-22 06:28
Can I get get the link to the code?
Quote
#2Nam2021-08-21 06:19
You're welcome, Jack.
Do you mean downloading code? There's no downloadable code for this article.
Quote
#1Jack2021-08-20 07:08
Dear Nam,
Thanks a lot for your wonderful articles!
You are a great help to many developers.
Could you please make link for downloading tutorial "Spring Security Redirect Users After Login Based on Roles"?
Thank you.
Quote