Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs.
To use any of the tags, you must have the security taglib declared in your JSP:
    <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
 This tag is used to determine whether its contents should be evaluated or not. In
            Spring Security 3.0, it can be used in two ways [18]. The first approach uses a web-security
                expression, specified in the access attribute of the tag.
            The expression evaluation will be delegated to the
                WebSecurityExpressionHandler defined in the
            application context (you should have web expressions enabled in your
                <http> namespace configuration to make sure this service is
            available). So, for example, you might
            have
<sec:authorize access="hasRole('supervisor')">
This content will only be visible to users who have
the "supervisor" authority in their list of <tt>GrantedAuthority</tt>s.
</sec:authorize>A common requirement is to only show a particular link, if the user is actually allowed to click it. How can we determine in advance whether something will be allowed? This tag can also operate in an alternative mode which allows you to define a particular URL as an attribute. If the user is allowed to invoke that URL, then the tag body will be evaluated, otherwise it will be skipped. So you might have something like
<sec:authorize url="/admin"> This content will only be visible to users who are authorized to send requests to the "/admin" URL. </sec:authorize>
To
            use this tag there must also be an instance of
                WebInvocationPrivilegeEvaluator in your application
            context. If you are using the namespace, one will automatically be registered. This is
            an instance of DefaultWebInvocationPrivilegeEvaluator, which
            creates a dummy web request for the supplied URL and invokes the security interceptor to
            see whether the request would succeed or fail. This allows you to delegate to the
            access-control setup you defined using intercept-url declarations
            within the <http> namespace configuration and saves having to
            duplicate the information (such as the required roles) within your JSPs. This approach
            can also be combined with a method attribute, supplying the HTTP
            method, for a more specific match.
This tag allows access to the current Authentication
            object stored in the security context. It renders a property of the object directly in
            the JSP. So, for example, if the principal property of the
                Authentication is an instance of Spring Security's
                UserDetails object, then using
                <sec:authentication property="principal.username" /> will
            render the name of the current user.
Of course, it isn't necessary to use JSP tags for this kind of thing and some people
            prefer to keep as little logic as possible in the view. You can access the
                Authentication object in your MVC controller (by
            calling SecurityContextHolder.getContext().getAuthentication()) and add the
            data directly to your model for rendering by the view.
This tag is only valid when used with Spring Security's ACL module. It checks a comma-separated list of required permissions for a specified domain object. If the current user has any of those permissions, then the tag body will be evaluated. If they don't, it will be skipped. An example might be
<sec:accesscontrollist hasPermission="1,2" domainObject="someObject"> This will be shown if the user has either of the permissions represented by the values "1" or "2" on the given object. </sec:accesscontrollist>
The permissions are passed to the PermissionFactory
            defined in the application context, converting them to ACL
                Permission instances, so they may be any format which
            is supported by the factory - they don't have to be integers, they could be strings like
                READ or WRITE. If no
                PermissionFactory is found, an instance of
                DefaultPermissionFactory will be used. The
                AclServicefrom the application context will be used
            to load the Acl instance for the supplied object. The
                Acl will be invoked with the required permissions to
            check if any of them are granted.