search

thymeleaf / thymeleaf-spring

Thymeleaf integration module for Spring
http://www.thymeleaf.org
Apache License 2.0
434 stars 156 forks source link

`#httpServletRequest`, `#request` and `#servletContext` are always null in latest milestone 3.1.0-M1 #277

Closed makigumo closed 2 years ago

makigumo commented 2 years ago

Hello!

Please find attached a project (demo.zip) to demonstrate the issue. After running it, please navigate to http://localhost:8080/

This is the source template:

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
  <meta charset="UTF-8">
  <title>Title</title>
</head>
<body>
<p>#request: <span th:text="${#request}">_</span> </p>
<p>#httpServletRequest: <span th:text="${#httpServletRequest}">_</span> </p>
<p>#servletContext: <span th:text="${#servletContext}">_</span> </p>
<script type="javascript">
  // [[${#request}]]
  // [[${#httpServletRequest}]]
  // [[${#servletContext}]]
</script>

</body>
</html>

This is the result with spring boot 3.0.0-M1.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Title</title>
</head>
<body>
<p>#request: <span></span> </p>
<p>#httpServletRequest: <span></span> </p>
<p>#servletContext: <span></span> </p>
<script type="javascript">
  // 
  // 
  // 
</script>

</body>
</html>

This is the expected result, returned after changing to spring boot 2.6.3 in build.gradle.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Title</title>
</head>
<body>
<p>#request: <span>org.apache.catalina.connector.RequestFacade@1b1d9723</span> </p>
<p>#httpServletRequest: <span>org.apache.catalina.connector.RequestFacade@1b1d9723</span> </p>
<p>#servletContext: <span>org.apache.catalina.core.ApplicationContextFacade@7a67be1c</span> </p>
<script type="javascript">
  // org.apache.catalina.connector.RequestFacade@1b1d9723
  // org.apache.catalina.connector.RequestFacade@1b1d9723
  // org.apache.catalina.core.ApplicationContextFacade@7a67be1c
</script>

</body>
</html>

demo.zip

danielfernandez commented 2 years ago

This is by design. Due to both security and web compatibility reasons, these objects are not considered expression utility objects anymore. If these objects are needed, they will need to be added to the model at the controller, though note that calling arbitrary methods on javax.* and jakarta.* objects has been forbidden too. The release notes for 3.1.0.M1 (to be published) wil explain all this.

makigumo commented 2 years ago

Thank you for the given insight.