sec:authorize="isAuthenticated()" no longer works with thymeleaf-extras-springsecurity5
See original GitHub issueI have a Spring Boot 2.0.5 application that uses thymeleaf-extras-springsecurity4 currently. I tried updating to thymeleaf-extras-springsecurity5, by changing the version in my pom.xml to:
<thymeleaf.version>3.0.10.RELEASE</thymeleaf.version>
<thymeleaf-layout-dialect.version>2.3.0</thymeleaf-layout-dialect.version>
<thymeleaf-spring-data-dialect.version>3.3.1</thymeleaf-spring-data-dialect.version>
<thymeleaf-extras-springsecurity5.version>3.0.3.RELEASE</thymeleaf-extras-springsecurity5.version>
<thymeleaf-extras-java8time.version>3.0.1.RELEASE</thymeleaf-extras-java8time.version>
with:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>${thymeleaf-extras-springsecurity5.version}</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
<version>${thymeleaf-extras-java8time.version}</version>
</dependency>
<dependency>
<groupId>io.github.jpenren</groupId>
<artifactId>thymeleaf-spring-data-dialect</artifactId>
<version>${thymeleaf-spring-data-dialect.version}</version>
</dependency>
<dependency>
<groupId>nz.net.ultraq.thymeleaf</groupId>
<artifactId>thymeleaf-layout-dialect</artifactId>
</dependency>
In my templates, I have this:
<th:block sec:authorize="isAuthenticated()">
...
</th:block>
This works perfectly fine with thymeleaf-extras-springsecurity4, but not anymore if I update to thymeleaf-extras-springsecurity5. There are no exceptions, but the content is visbile even if no user is authenticated.
I also changed the <html>
declaration from:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
to:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
But that did not fix it.
Am I doing something wrong? This is a regular Spring MVC application, not using anything reactive.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:6 (1 by maintainers)
Top Results From Across the Web
thymeleaf sec:authorize not working in spring boot
I updated my thymeleaf security to springsecurity5 and now it is working <dependency> <groupId>org.thymeleaf.extras</groupId> ...
Read more >Spring Security with Thymeleaf - Baeldung
A quick guide to integrating Spring Security and Thymeleaf. ... </div> <div sec:authorize="isAuthenticated()"> Text visible only to ...
Read more >Spring Security with Thymeleaf | Java Development Journal
<div sec:authorize ="isAuthenticated()"> will work for all authenticated user. It will display this section to all authenticated user.
Read more >Thymeleaf + Spring Security integration basics
In this article we will see how to configure your Spring application to use Thymeleaf for login and error pages. All the code...
Read more >Spring Security — User Roles and ThymeLeaf Extras
formLogin() Tells spring security that we wish to use a login form. ... Next, we'll be using a Thymeleaf attribute sec:authorize to check...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Change your file pom.xml, and add this these dependencies:
Now in your html file add:
that is all 😉
I have done all of the above and with TRACE logging on org.thymeleaf I don’t see any evidence that the sec:authorize tags are being processed.
When I look at the HTML source the sec:authorize tags are still there. That seems wrong.