search

thymeleaf / thymeleaf-extras-springsecurity

Thymeleaf "extras" integration module for Spring Security 3.x and 4.x
http://www.thymeleaf.org
Apache License 2.0
477 stars 107 forks source link

sec:authorize="isAuthenticated()" no longer works with thymeleaf-extras-springsecurity5 #61

Closed wimdeblauwe closed 5 years ago

wimdeblauwe commented 5 years ago

I have a Spring Boot 2.0.5 application that uses thymeleaf-extras-springsecurity4 currently. I tried updating to thymeleaf-extras-springsecurity5, by changing the version in my pom.xml to:

    <thymeleaf.version>3.0.10.RELEASE</thymeleaf.version>
    <thymeleaf-layout-dialect.version>2.3.0</thymeleaf-layout-dialect.version>
    <thymeleaf-spring-data-dialect.version>3.3.1</thymeleaf-spring-data-dialect.version>
    <thymeleaf-extras-springsecurity5.version>3.0.3.RELEASE</thymeleaf-extras-springsecurity5.version>
    <thymeleaf-extras-java8time.version>3.0.1.RELEASE</thymeleaf-extras-java8time.version>

with:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
        <version>${thymeleaf-extras-springsecurity5.version}</version>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-java8time</artifactId>
        <version>${thymeleaf-extras-java8time.version}</version>
    </dependency>
    <dependency>
        <groupId>io.github.jpenren</groupId>
        <artifactId>thymeleaf-spring-data-dialect</artifactId>
        <version>${thymeleaf-spring-data-dialect.version}</version>
    </dependency>
    <dependency>
        <groupId>nz.net.ultraq.thymeleaf</groupId>
        <artifactId>thymeleaf-layout-dialect</artifactId>
    </dependency>

In my templates, I have this:

<th:block sec:authorize="isAuthenticated()">
...
</th:block>

This works perfectly fine with thymeleaf-extras-springsecurity4, but not anymore if I update to thymeleaf-extras-springsecurity5. There are no exceptions, but the content is visbile even if no user is authenticated.

I also changed the <html> declaration from:

<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

to:

<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

But that did not fix it.

Am I doing something wrong? This is a regular Spring MVC application, not using anything reactive.

danielfernandez commented 5 years ago

I've not been able to reproduce this :(

Could you please provide a bit more detail on your Spring Security configuration or (ideally) provide a test Spring Boot webapp replicating this issue? One of our sandbox applications does call sec:authorize="isAuthenticated()" in a Spring MVC environment: https://github.com/thymeleaf/thymeleafsandbox-springsecurity-mvc/blob/3.0-spring5/src/main/resources/templates/index.html#L9-L10 so you could easily use it as a base and maybe modify its Spring Security configuration to resemble yours and try to reproduce the issue. Note it is a Spring Boot 2.1 (snapshot) app, but you can easily modify the pom.xml for it to use Spring Boot 2.0.5.

wimdeblauwe commented 5 years ago

Found the issue. With Spring Boot 2.0.5, I rely on Spring Boot to create a SpringSecurityDialect bean. However, by switching to this new thymeleaf-extras-springsecurity5, Spring Boot no longer creates this bean. I noticed the sandbox app has this:

// TODO * Configuring this bean should not be needed once Spring Boot's Thymeleaf starter includes configuration
// TODO   for thymeleaf-extras-springsecurity5 (instead of thymeleaf-extras-springsecurity4)
@Bean
public SpringSecurityDialect securityDialect() {
    return new SpringSecurityDialect();
}

Once I manually added this to my own application, all was fine.

Seems I should probably just wait for Spring Boot 2.0.6 (https://twitter.com/snicoll/status/1051766989667090432) which will fix this automatically.

The note on https://github.com/thymeleaf/thymeleaf-extras-springsecurity

NOTE: If we are using Thymeleaf in a Spring Boot application, all that will be needed is to add the corresponding Thymeleaf and Spring Security starters to our application as well as the thymeleaf-extras-springsecurity[3|4|5] dependency, and this dialect will be automatically configured for us.

could maybe use some extra info on what the minimum Spring Boot version is to have support for each of the thymeleaf-extras-springsecurity versions?

vwilmerfm commented 5 years ago

Change your file pom.xml, and add this these dependencies:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>

Now in your html file add:

<!DOCTYPE html>
<html lang="es" xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

that is all 😉

    <div sec:authorize="isAuthenticated()">
        Text visible only to authenticated users.
    </div>

NOTE: Do not forget enable @EnableWebSecurity in your spring config file

rajiv7 commented 5 years ago

Thanks a lot mate!!!

breitling commented 4 years ago

I have done all of the above and with TRACE logging on org.thymeleaf I don't see any evidence that the sec:authorize tags are being processed.

When I look at the HTML source the sec:authorize tags are still there. That seems wrong.

faramarzaf commented 2 years ago

I tried @vwilmerfm solution, but it still has a problem in showing elements in HTML by authority. Spring version: 2.5.9. with the below dependencies.

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>

        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
        </dependency>
sproclavism commented 1 year ago

I tried @vwilmerfm solution, but it still has a problem in showing elements in HTML by authority. Spring version: 2.5.9. with the below dependencies.

I've encountered the same issue. After a long search I noticed that another package thymeleaf-extras-springsecurity6 existed whereas everyone was recommending thymeleaf-extras-springsecurity5 online. Once changed my issues were resolved.

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.4</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>

        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity6</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
alixandresantana commented 10 months ago

@sproclavism ´s solution worked for me as well!, thanks!