Explain Codes LogoExplain Codes Logo

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

java
dependency-injection
security-context
spring-security
Alex KataevbyAlex Kataev·Mar 13, 2025
TLDR

To retrieve the current username in a Spring Security context, utilize the following snippet:

// Who's your daddy?
String username = SecurityContextHolder.getContext().getAuthentication().getName();

Caution: Run the code during an authenticated session to avoid misconceptions.

Exploring retrieval options

The technique shown above is spot-on for many situations, but it has its drawbacks. It isn't the most test-friendly or flexible solution. Therefore, it might be wiser to use a well-defined interface to make your codebase more modular:

// Where does Batman keep his spare suit? Last I checked, it's the ward-robe!
public interface UserIdentity {
    String getCurrentUsername();
}

Creating an interface facilitates unit testing by allowing for a mock implementation with frameworks like Mockito, providing leeway for future alterations in the retrieval mechanism.

Dependency injection strategy

In lieu of directly using the SecurityContextHolder in your beans, inject the Authentication or SecurityContext. Such an approach promotes loose coupling and enables strict control over your security context:

@Autowired
private Authentication authentication;

// "Hello! It's me." - Adele, probably
public String getCurrentUsername() {
    return authentication.getName();
}

Be aware, injecting SecurityContext directly into beans might cause threading issues since SecurityContextHolderStrategy uses ThreadLocal to store contexts.

Thread cycle and web context

In a web situation, different threads could handle your beans. Hence, understanding SecurityContextHolderStrategy's threading outcomes and lifecycle is paramount. Discussing potential solutions for this issue on a Jira thread has led to suggestions like introducing a getter for the actual SecurityContextHolderStrategy. This would help manage contexts across multiple threads.

Security context and facades

For a production environment, consider opting for a SecurityContextHolderFacade. This facade wraps the access to the SecurityContextHolder, resulting in a more protected and manageable injection into your beans.

Web-layer access

From within a controller, the Principal can be accessed directly from a @RequestMapping method, thus bypassing any direct contact with the SecurityContextHolder:

@RequestMapping("/user")
@ResponseBody
// "A user walks into a controller. The controller says, 'Who are you?'"
public String currentUserName(Principal principal) {
    return principal.getName();
}

This method honors the principle of least privilege, ensuring that the bean accesses just the information it needs.

Future-proof approach

It's essential to future-proof your retrieval strategy to anticipate potential updates to Spring Security. Stay updated with Spring's recommendations and best practices to keep your application secure and maintainable.

explain-codes / Java / When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
Linked

How to get active user's UserDetails

Unit testing with Spring Security

How to verify a method of a non-mock object is called?

Mocking member variables of a class using Mockito

Getting Spring Application Context

Can Mockito capture arguments of a method called multiple times?

Populating Spring @Value during Unit Test

Exploring retrieval optionsDependency injection strategyThread cycle and web contextSecurity context and facadesWeb-layer accessFuture-proof approach
Linked

How to get active user's UserDetails

Unit testing with Spring Security

How to verify a method of a non-mock object is called?

Mocking member variables of a class using Mockito

Getting Spring Application Context

Can Mockito capture arguments of a method called multiple times?

Populating Spring @Value during Unit Test