Spring Security - Redirect based on User Roles

So far we’ve built a basic spring boot application, enabled spring security and built a basic login form. In the last lesson, we expanded on the first lesson by adding different user roles and the ability to show and hide front-end content based on these roles (User Roles and Thymeleaf Extras).

Today, we’ll be looking at redirecting users with different roles to different pages after they log in.

Source code for this example can be found on github:
An introduction to spring security. Contribute to codenerve-com/spring-security development by creating an account on GitHub.

Some files are already set up for you from the previous lesson: Spring Security – User Roles and Thymeleaf Extras. Please start here or check out the complete code from the link above.


Following on from our previous example, we have now created a new HTML file called Admin.html. This is the page we will redirect admins to when they log in.

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"

    <title>codenerve.com - Welcome!</title>
    <meta charset="UTF-8">
    <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700" rel="stylesheet">
    <link rel="stylesheet" href="css/style.css">
        <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>

             Custom administrator page.

        <form th:action="@{/logout}" method="post">
            <input type="submit" value="Sign Out"/>


Now, to serve the new admin.html page, we must add this page to our MvcConfig.

As with the previous examples, this is done by creating a class, extending WebMvcConfigurerAdapter and overriding the addViewControllers method. This time adding all the earlier pages of our app and the new admin page:

public class MvcConfig extends WebMvcConfigurerAdapter {

    public void addViewControllers(ViewControllerRegistry registry) {


The Constructor

In order to decide what to do when different user roles login. We have created a new field of type AuthenticationSuccessHandler. We’re setting this new configuration bean via constructor injection.

configure method

This method is in charge of overriding and configuring HttpSecurity explicitly. From the last example, we have added two lines.

First, we’ve added a new antMatcher under the authorizeRequests section, and we’ve told spring security only to allow a user with the ‘ADMIN’ role access to all endpoints starting with ‘/admin’:


Secondly, we’ve added our CustomAuthenticationSuccessHandler under the formLogin section to tell spring security to ask this CustomAuthenticationSuccessHandler what to do when a successful login occurs:


configureGlobal method

The configureGlobal method is our in-memory registry of users. We’ve added two users. One with the primary ‘USER’ role and the other with the ‘ADMIN’ role.

Full example:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private AuthenticationSuccessHandler authenticationSuccessHandler;

    public WebSecurityConfig(AuthenticationSuccessHandler authenticationSuccessHandler) {
        this.authenticationSuccessHandler = authenticationSuccessHandler;

    protected void configure(HttpSecurity http) throws Exception {
                .antMatchers( "/css/**").permitAll()
                .and().csrf().disable(); // we'll enable this in a later blog post

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {


As you can see from our sample code below this class implements springs AuthenticationSuccessHandler class and overrides the onAuthenticationSuccess method.

Once a user is successfully logged in, this method is called and within this method, the user’s role is checked. If the user’s role is admin we redirect to the ‘/admin’ HTTP endpoint otherwise we redirect them to the ‘/index’ endpoint.

At this point, our MvcConfig takes over and serves the correct HTML page based on the viewController we created previously.

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {

        Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());

        if (roles.contains("ROLE_ADMIN")) {
        } else {


To run the demo, open the Application class and right-click run. To start the example, port 8080 will need to be available on your machine. If it is not, you can change this default in the application.properties file using:


Set this to whatever value you wish.


As always we have amended an added some additonal tests to conver a new functionality

@WithMockUser(roles = "USER")
public void loginWithRoleUserThenExpectAdminPageForbidden() throws Exception {

@WithMockUser(roles = "ADMIN")
public void loginWithRoleAdminThenExpectAdminContent() throws Exception {
			.andExpect(content().string(containsString("Custom administrator page.")));

public void loginWithRoleUserThenExpectIndexPageRedirect() throws Exception {
	FormLoginRequestBuilder login = formLogin()


public void loginWithRoleAdminThenExpectAdminPageRedirect() throws Exception {
	FormLoginRequestBuilder login = formLogin()



Next up, we will be covering spring security’s Cross Site Request Forgery (CSRF) protection.

Michael Whyte

Michael Whyte