question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

sec:authorize="isAuthenticated()" no longer works with thymeleaf-extras-springsecurity5

See original GitHub issue

I have a Spring Boot 2.0.5 application that uses thymeleaf-extras-springsecurity4 currently. I tried updating to thymeleaf-extras-springsecurity5, by changing the version in my pom.xml to:

    <thymeleaf.version>3.0.10.RELEASE</thymeleaf.version>
    <thymeleaf-layout-dialect.version>2.3.0</thymeleaf-layout-dialect.version>
    <thymeleaf-spring-data-dialect.version>3.3.1</thymeleaf-spring-data-dialect.version>
    <thymeleaf-extras-springsecurity5.version>3.0.3.RELEASE</thymeleaf-extras-springsecurity5.version>
    <thymeleaf-extras-java8time.version>3.0.1.RELEASE</thymeleaf-extras-java8time.version>

with:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
        <version>${thymeleaf-extras-springsecurity5.version}</version>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-java8time</artifactId>
        <version>${thymeleaf-extras-java8time.version}</version>
    </dependency>
    <dependency>
        <groupId>io.github.jpenren</groupId>
        <artifactId>thymeleaf-spring-data-dialect</artifactId>
        <version>${thymeleaf-spring-data-dialect.version}</version>
    </dependency>
    <dependency>
        <groupId>nz.net.ultraq.thymeleaf</groupId>
        <artifactId>thymeleaf-layout-dialect</artifactId>
    </dependency>

In my templates, I have this:

<th:block sec:authorize="isAuthenticated()">
...
</th:block>

This works perfectly fine with thymeleaf-extras-springsecurity4, but not anymore if I update to thymeleaf-extras-springsecurity5. There are no exceptions, but the content is visbile even if no user is authenticated.

I also changed the <html> declaration from:

<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

to:

<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

But that did not fix it.

Am I doing something wrong? This is a regular Spring MVC application, not using anything reactive.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:1
  • Comments:6 (1 by maintainers)

github_iconTop GitHub Comments

38reactions
vwilmerfmcommented, Mar 7, 2019

Change your file pom.xml, and add this these dependencies:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>

Now in your html file add:

<!DOCTYPE html>
<html lang="es" xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

that is all 😉

    <div sec:authorize="isAuthenticated()">
        Text visible only to authenticated users.
    </div>

NOTE: Do not forget enable @EnableWebSecurity in your spring config file

3reactions
breitlingcommented, Jun 18, 2020

I have done all of the above and with TRACE logging on org.thymeleaf I don’t see any evidence that the sec:authorize tags are being processed.

When I look at the HTML source the sec:authorize tags are still there. That seems wrong.

Read more comments on GitHub >

github_iconTop Results From Across the Web

thymeleaf sec:authorize not working in spring boot
I updated my thymeleaf security to springsecurity5 and now it is working <dependency> <groupId>org.thymeleaf.extras</groupId> ...
Read more >
Spring Security with Thymeleaf - Baeldung
A quick guide to integrating Spring Security and Thymeleaf. ... </div> <div sec:authorize="isAuthenticated()"> Text visible only to ...
Read more >
Spring Security with Thymeleaf | Java Development Journal
<div sec:authorize ="isAuthenticated()"> will work for all authenticated user. It will display this section to all authenticated user.
Read more >
Thymeleaf + Spring Security integration basics
In this article we will see how to configure your Spring application to use Thymeleaf for login and error pages. All the code...
Read more >
Spring Security — User Roles and ThymeLeaf Extras
formLogin() Tells spring security that we wish to use a login form. ... Next, we'll be using a Thymeleaf attribute sec:authorize to check...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found