sec:authorize doesn't display expected behaviour

[ghost]

Summary

I'm using Spring Cloud Gateway (which uses Webflux), but there is a bug which is preventing me displaying content to ONLY those who are not logged in (using thymeleaf).

Actual Behavior

• elements with sec:authorize="isAuthenticated()" works fine and displays expected behaviour
• however sec:authorize="!isAuthenticated()" does not seem to work. When the user is not authenticated, then nothing is shown. If the user is authenticated, an exception is thrown. (Caused by: org.thymeleaf.exceptions.TemplateProcessingException: Authorization-oriented expressions (such as those in 'sec:authorize') are restricted in WebFlux applications due to a lack of support in the reactive side of Spring Security (as of Spring Security 5.1). Only a minimal set of security expressions is allowed: [isAuthenticated(), isFullyAuthenticated(), isAnonymous(), isRememberMe()] (template: "login" - line 66, col 8))
• elements with sec:authorize="isAnonymous()" never display

Expected Behavior

• sec:authorize="!isAuthenticated()" should display content to users that haven't been authenticated, and shouldn't display anything to users that have logged in
• sec:authorize="isAnonymous()" should display content to users that haven't been authenticated, and shouldn't display anything to users that have logged in

Configuration

I have my spring security dialect bean defined, as I know this causes issues for some

@Bean
public SpringSecurityDialect springSecurityDialect() {
    return new SpringSecurityDialect();
}

It's importing org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;

Version

• Spring boot 2.2.4.RELEASE and 2.2.5.RELEASE

[towfiq-bK]

@ultraq
try adding the code below which worked for me: xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"