Reputation: 227
Thymeleaf: sec:authentication shows up at ANY case while sec:authorize at NO ANY case
Every <div> with either sec:authentication="..." stated shows up no matter if logged in or not. Even an explicit false causes the div to show up.
On the other side <div>s with sec:authorize="..." are hidden, even with an explicit true.
I have tried checking Maven dependencies, Spring MVC config, Spring Security Dialect in ServletContextConfig and many other answers, but no solution worked for my case.
index.html:
<!DOCTYPE html>
<html
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<meta charset="UTF-8"/>
<title>blah blah</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body style="text-align: center;">
<div sec:authentication="true">
authentication - always
</div>
<div sec:authentication="false">
authentication - never
</div>
<div class="container" sec:authentication="isAnonymous()">
authentication - anonymous
</div>
<div class="container" sec:authentication="!isAnonymous()">
authentication - not anonymous
</div>
<div class="container" sec:authentication="isAuthenticated()">
authentication - authenticated
</div>
<div class="container" sec:authentication="!isAuthenticated()">
authentication - not authenticated
</div>
<div sec:authorize="true">
authorize - always
</div>
<div sec:authorize="false">
authorize - never
</div>
<div class="container" sec:authorize="isAnonymous()">
authorize - anonymous
</div>
<div class="container" sec:authorize="!isAnonymous()">
authorize - not anonymous
</div>
<div class="container" sec:authorize="isAuthenticated()">
authorize - authenticated
</div>
<div class="container" sec:authorize="!isAuthenticated()">
authorize - not authenticated
</div>
<strong> Username: <span sec:authentication="name"></span> </strong>
<div th:text="${#authorization.getAuthentication()}">1</div>
<div th:text="${40}">1</div>
<!-- end of content! -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js"></script>
</body>
</html>Expected result (when not logged in):
authentication - always
authentication - anonymous
authentication - not authenticated
authorize - always
authorize - anonymous
authorize - not authenticated
Username: Anonymous
40
Actual result:
authentication - always
authentication - never
authentication - anonymous
authentication - not anonymous
authentication - authenticated
authentication - not authenticated
Username:
40
Upvotes: 1
Views: 3273
Answers (2)
Reputation: 21
In my case, using "Spring Security 5" with "thymeleaf-extras-springsecurity4" caused this problem. If you're using Spring Security 5, use "thymeleaf-extras-springsecurity5" instead. ("thymeleaf-extras-springsecurity5" was released recently)
Upvotes: 2
Reputation: 227
With digging for more and more solutions I found one that fits me:
- There must not be something like
web.ignoring().antMatchers("/");atSecurityConfig.configure().
I.e. the page you want to apply an "authorization filter" must not be set to get ignored from security. - Use
sec:authorize, notsec:authentication(this causes an error) inindex.html.
Working index.html:
<!DOCTYPE html>
<html
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="UTF-8"/>
<title>bla bla bla</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body style="text-align: center;">
<div sec:authorize="true">
authorize - always
</div>
<div sec:authorize="false">
authorize - never
</div>
<div class="container" sec:authorize="isAnonymous()">
authorize - anonymous
</div>
<div class="container" sec:authorize="!isAnonymous()">
authorize - not anonymous
</div>
<div class="container" sec:authorize="isAuthenticated()">
authorize - authenticated
</div>
<div class="container" sec:authorize="!isAuthenticated()">
authorize - not authenticated
</div>
<strong> Username: <span sec:authentication="name"></span> </strong>
<div th:text="${#authorization.getAuthentication()}">1</div>
<div th:text="${40}">1</div>
<!-- end of content! -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js"></script>
</body>
</html>Result: (when logged in)
authorize - always
authorize - not anonymous
authorize - authenticated
Username: test2
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@00000000: Principal: ....
40
(when not logged in)
authorize - always
authorize - anonymous
authorize - not authenticated
Username: anonymousUser
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@00000000: Principal: ....
40
Upvotes: 2
Related Questions
- Thymeleaf Spring security integration sec:authorize is not working
- thymeleaf sec:authorize not working in spring boot
- Spring thymeleaf security sec:authentication not working
- Sec:authorize doesn't work in spring security 4
- Spring Boot Security - Thymeleaf sec:authorize not working
- sec authorize it doesn't work on spring security
- Thymeleaf is not parsing "sec:authorize" attribute
- sec:authorize and sec:authentication annotations don't work
- Thymeleaf , change sec:authorize hasRole string parameter to Java constant
- sec:authorize doesn't work