Closed wimdeblauwe closed 5 years ago
I've not been able to reproduce this :(
Could you please provide a bit more detail on your Spring Security configuration or (ideally) provide a test Spring Boot webapp replicating this issue? One of our sandbox applications does call sec:authorize="isAuthenticated()"
in a Spring MVC environment: https://github.com/thymeleaf/thymeleafsandbox-springsecurity-mvc/blob/3.0-spring5/src/main/resources/templates/index.html#L9-L10 so you could easily use it as a base and maybe modify its Spring Security configuration to resemble yours and try to reproduce the issue. Note it is a Spring Boot 2.1 (snapshot) app, but you can easily modify the pom.xml for it to use Spring Boot 2.0.5.
Found the issue. With Spring Boot 2.0.5, I rely on Spring Boot to create a SpringSecurityDialect
bean. However, by switching to this new thymeleaf-extras-springsecurity5, Spring Boot no longer creates this bean. I noticed the sandbox app has this:
// TODO * Configuring this bean should not be needed once Spring Boot's Thymeleaf starter includes configuration
// TODO for thymeleaf-extras-springsecurity5 (instead of thymeleaf-extras-springsecurity4)
@Bean
public SpringSecurityDialect securityDialect() {
return new SpringSecurityDialect();
}
Once I manually added this to my own application, all was fine.
Seems I should probably just wait for Spring Boot 2.0.6 (https://twitter.com/snicoll/status/1051766989667090432) which will fix this automatically.
The note on https://github.com/thymeleaf/thymeleaf-extras-springsecurity
NOTE: If we are using Thymeleaf in a Spring Boot application, all that will be needed is to add the corresponding Thymeleaf and Spring Security starters to our application as well as the thymeleaf-extras-springsecurity[3|4|5] dependency, and this dialect will be automatically configured for us.
could maybe use some extra info on what the minimum Spring Boot version is to have support for each of the thymeleaf-extras-springsecurity versions?
Change your file pom.xml, and add this these dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
Now in your html file add:
<!DOCTYPE html>
<html lang="es" xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
that is all 😉
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
</div>
NOTE: Do not forget enable @EnableWebSecurity in your spring config file
Thanks a lot mate!!!
I have done all of the above and with TRACE logging on org.thymeleaf I don't see any evidence that the sec:authorize tags are being processed.
When I look at the HTML source the sec:authorize tags are still there. That seems wrong.
I tried @vwilmerfm solution, but it still has a problem in showing elements in HTML by authority. Spring version: 2.5.9. with the below dependencies.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
I tried @vwilmerfm solution, but it still has a problem in showing elements in HTML by authority. Spring version: 2.5.9. with the below dependencies.
I've encountered the same issue. After a long search I noticed that another package thymeleaf-extras-springsecurity6
existed whereas everyone was recommending thymeleaf-extras-springsecurity5
online.
Once changed my issues were resolved.
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.0.4</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
@sproclavism ´s solution worked for me as well!, thanks!
I have a Spring Boot 2.0.5 application that uses thymeleaf-extras-springsecurity4 currently. I tried updating to thymeleaf-extras-springsecurity5, by changing the version in my pom.xml to:
with:
In my templates, I have this:
This works perfectly fine with thymeleaf-extras-springsecurity4, but not anymore if I update to thymeleaf-extras-springsecurity5. There are no exceptions, but the content is visbile even if no user is authenticated.
I also changed the
<html>
declaration from:to:
But that did not fix it.
Am I doing something wrong? This is a regular Spring MVC application, not using anything reactive.