Even though JSPs have fallen out of fashion lately, they are still a core part of many enterprise infrastructures. In this tutorial, we’ll show you how to secure them using the excellent Spring Security suite and Stormpath’s Spring Boot integration for user management.

JSPs and Spring Boot

We’ll start by serving up a simple JSP homepage using Spring Boot. The most basic JSP is plain HTML with a variable or two thrown in.

If rendered correctly we should see ‘Hello, World!’ when loading the code. To do this we first put it into the src/main/webapp/WEB-INF/jsp directory.

JSP Directory

Then inside of application.properties we need to specify where our JSP files reside.

Now create a basic Application.java.

And then create an even more basic Request.java.

Mapping a forward slash to home really means the file home.jsp with the path defined in our application.properties.

The last thing we need is a pom.xml. Here we include the Spring Boot Starter Parent (so we don’t have to specify dependency versions), the Spring Boot Maven Plugin (so we can run our app directly), the Tomcat Jasper (to serve our JSPs) and the Spring Boot Starter Web (for route controlling).

Now when we run with mvn spring-boot:run and visit localhost:8080 we should see our hello world message.

JSP Hello World

Add Security

Spring Security is divided into two parts, authentication, and authorization. The first ensures your user identity while the second handles what the user can and can’t do.

To authenticate we are going to use Stormpath’s Java integration which is as simple as adding http.apply(stormpath()) to a basic security adapter.

We also need to add our Stormpath application details to our application.properties.

Note: For security reasons you should not store your Stormpath keys inside of Java files. Rather use environment variables. See here.

In addition we need to add the Stormpath starter to our pom.xml.

However, this includes Thymeleaf templating which clashes with Jasper (which we use to serve our JSPs). We need to exclude it. Instead of the above code use the following.

If you restart your application and refresh the homepage you should see Stormpath trying to log you in. This is because we haven’t specified access controls per page. By default everything is locked down.


Typing in the details for a user account in your Stormpath application should take you to the ‘Hello, World!’ message as before.


Finally to illustrate authorization we will use Spring Security’s JSP tag libraries which allows us to control behaviour based on Access Expressions (we’ll deal with those in a second).

First we add the tag libraries to our pom.xml.

Next we import the library to our JSP by adding the following line to the top.

With that we can use the special sec tags to control how the JSP is rendered. For example take the following section of code.

Only users with authority supervisor will be able to see the code in between the tags.

Role, Authority, and Access Expressions

Spring Security allows you to define policies on methods and attributes using the Spring Expression Language. For example you could use the @PreAuthorize annotation to specify whether a user can access a function.

Part of the expression language is the concept of Role and Authority Spring Security uses in order to associate rights to users. To illustrate this take a look at the following xml config excerpt used before the Java configurations that are popular today today.

This is how we would say who was allowed to see the /admin and /dba urls. It is not per user but per role. We then have to define who has what role when creating users.

Note: In Stormpath we use hasAuthority throughout. This is because hasRole is the same as hasAuthority but just with the string ‘ROLE_’ prepended. See details of our Spring Boot migration for more.

Stormpath Groups

Groups in Stormpath

Groups in Stormpath are analogous to Spring Security authorities. And to specify a group we use the href shown when you open the group up in the Stormpath Admin Console.

If we add the referenced group to the user we logged in with previously and reload, we should see the message inside the sec tags.

New secure Hello World

In this way, we can control who is allowed to access which sections of code such as buttons and forms.

JSP + Stormpath FTW

Hopefully, you can see how easy it is to secure your JSPs using Stormpath and Spring Security. With just a few files you can create a flexible system that allows centrally managing users and controlling what they can see and do based on the groups they belong to.

Interested in learning more about user management with Stormpath? Well you’re in luck, because we’ve got everything you need to get started!