Spring Security Redirect Users After Login Based on Roles

In this Spring Security post, I’d like to share the steps and code examples on how to redirect authenticated users based on their roles in a Java Spring Boot web application. For example, when an Admin user logs in, he will see the Admin dashboard page. Likewise, a user with role Editor will see Editor dashboard page upon successful authentication. And so on for different users with different roles.

Suppose that you’re developing a Java web application based on Spring Boot Web, Spring Data JPA, Hibernate, Spring Security, Thymeleaf and MySQL database – with user authentication and role-based authorization already implemented.

1. Implement hasRole method in User class

The application will need to check if the currently logged-in user has a specific role or not. So code the hasRole()method in the User entity class as follows:

package net.codejava;

import java.util.*;
import javax.persistence.*;

@Entity
@Table(name = "users")
public class User {
	
	@ManyToMany(cascade = CascadeType.PERSIST, fetch = FetchType.EAGER)
	@JoinTable(
			name = "users_roles",
			joinColumns = @JoinColumn(name = "user_id"),
			inverseJoinColumns = @JoinColumn(name = "role_id")
			)
	private Set<Role> roles = new HashSet<>();
	
	public boolean hasRole(String roleName) {
		Iterator<Role> iterator = this.roles.iterator();
		while (iterator.hasNext()) {
			Role role = iterator.next();
			if (role.getName().equals(roleName)) {
				return true;
			}
		}
		
		return false;
	}
	
	// other fields, getters and setters are not shown for brevity
}

The hasRole() method will return true if the user is assigned with the specified role, or false otherwise. And also update your custom UserDetails class – adding the hasRole() method as shown below:

package net.codejava;

public class CustomUserDetails implements UserDetails {
	private User user;
	
	public CustomUserDetails(User user) {
		this.user = user;
	}

	@Override
	public Collection<? extends GrantedAuthority> getAuthorities() {
		Set<Role> roles = user.getRoles();
		List<SimpleGrantedAuthority> authorities = new ArrayList<>();
		
		for (Role role : roles) {
			authorities.add(new SimpleGrantedAuthority(role.getName()));
		}
		return authorities;
	}

	
	public boolean hasRole(String roleName) {
		return this.user.hasRole(roleName);
	}
	
	// other overriden methods are not shown
}

Spring Security will return a new instance of this UserDetails class upon successful authentication. This class wraps an instance of User so the hasRole() method here simply delegates the call to the User class.

2. Code Authentication Success Handler

Next, code a class that extends an implementation of AuthenticationSuccessHandler, such as SavedRequestAwareAuthenticationSuccessHander like the following code:

package net.codejava;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;

@Component
public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws ServletException, IOException {

		CustomUserDetails userDetails = (CustomUserDetails) authentication.getPrincipal();
		
		String redirectURL = request.getContextPath();
		
		if (userDetails.hasRole("Salesperson")) {
			redirectURL = "sales_home";
		} else if (userDetails.hasRole("Editor")) {
			redirectURL = "editor_home";
		} else if (userDetails.hasRole("Shipper")) {
			redirectURL = "shipper_home";
		}
		
		response.sendRedirect(redirectURL);
		
	}

}

You know, the onAuthenticationSuccess() method will be invoked by Spring Security upon user’s successful login. So it’s very logically to put the redirection code in this method, for redirecting the authenticated users based on their roles. The code example is self-explanatory so I don’t have to explain further.

3. Configure Spring Security to Use Success Handler

And update the Spring Security configuration class to use the authentication success handler class as follows:

package com.shopme.admin.security;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


	@Override
	protected void configure(HttpSecurity http) throws Exception {

		http.authorizeRequests()
			.anyRequest().authenticated()
			.and()
			.formLogin()
				.loginPage("/login")
				.usernameParameter("email")
				.successHandler(loginSuccessHandler)
				.permitAll()
			.and()
			.logout().permitAll();
	}
	
	@Autowired private LoginSuccessHandler loginSuccessHandler;
}

To learn more about using authentication success handler, refer to this article: Spring Security Authentication Success Handler Examples.

4. Update View Layer

This part is optional. If the role-based view pages (editor home, admin dashboard, etc) do not have corresponding handler methods in controller layer, you can configure the view name resolution in a Spring MVC configuration as follows:

package net.codejava;

@Configuration
public class MvcConfig implements WebMvcConfigurer {

	@Override
	public void addViewControllers(ViewControllerRegistry registry) {
		registry.addViewController("/").setViewName("index");
		registry.addViewController("/sales_home").setViewName("sales_home");
		registry.addViewController("/editor_home").setViewName("editor_home");
		registry.addViewController("/shipper_home").setViewName("shipper_home");
	}

}

That’s all about how to redirect users based on roles in a Java web application based on Spring Boot and Spring Security. I hope you found this article helpful.

To see the coding in action, I recommend you to watch the following video:

Related Spring Security Tutorials:

• Spring Security Add Roles to User Examples
• Spring Security Forgot Password Tutorial
• Spring Security Limit Login Attempts Example
• Spring Security OTP Email Tutorial
• Spring Security Authentication with JPA, Hibernate and MySQL
• Spring Security Role-based Authorization Tutorial
• Spring Security Customize Login and Logout
• How to Get Logged-in User's Details with Spring Security
• Spring Security: Prevent User from Going Back to Login Page if Already logged in
• Spring Security Authentication Success Handler Examples
• Spring Security Authentication Failure Handler Examples
• Spring Security Logout Success Handler Example
• Spring Security Before Authentication Filter Examples

Other Spring Boot Tutorials:

• How to create a Spring Boot Web Application (Spring MVC with JSP/ThymeLeaf)
• Spring Boot CRUD Example with Spring MVC – Spring Data JPA – ThymeLeaf - Hibernate - MySQL
• Spring Boot Hello World RESTful Web Services Tutorial
• Spring Boot Thymeleaf Form Handling Tutorial
• Spring Data JPA Paging and Sorting Examples
• Spring Boot Error Handling Guide
• Spring Boot Logging Basics

About the Author:

Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.