spring-securitythymeleafspring-thymeleaf
Thymeleaf Security (sec:authorize tag) doesn't work in Spring
I have a problem: when I implemented thymeleaf security, added dependency, I noticed that sec:authorize tag isn't even working! I've browsed a lot of questions, but all of them obsolete or man forgot to add dependency This tutorial is so easy, there weren't any additional classes and configurations, but it didn't help either: https://www.baeldung.com/spring-security-thymeleaf
My project on github: https://github.com/sedub01/CafeBarApplication, I haven't push new changes yet (if you'd noticed some files missed, I'll add them) There is my pom.xml file
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>sia</groupId>
<artifactId>CafeBarApplication</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>CafeBarApplication</name>
<description>Cafe Bar Example</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-validation -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
<version>3.1.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-data-jpa -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>3.1.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>3.1.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-oauth2-client -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
Last, but not least: my html code:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<title>Cafe Bar</title>
</head>
<body>
<h3 th:text="'Welcome' + (${fullname} ? ', ' + ${fullname} + '!' : '')" />
<img th:src="@{/images/cafeIcon.png}" />
<!-- TODO think about placing in header -->
<form method="POST" th:action="@{/logout}">
<input type="submit" value="Logout" />
</form>
<div sec:authorize="!isAuthenticated()">
This content is only shown to unauthenticated users.
</div>
<div sec:authorize="isAuthenticated()">
This content is only shown to authenticated users.
</div>
<div sec:authorize="hasRole('ROLE_ADMIN')">
This content is only shown to administrators.
</div>
<div sec:authorize="hasRole('ROLE_USER')">
This content is only shown to users.
</div>
</body>
</html>
Actual result (I've logined as USER, but every div is displayed):
Solution
As you using spring-boot version 3.1.0 which uses spring 6.0.9 version. But the library you have used thymeleaf-extras-springsecurity5 is using spring version 5.x so it will not work as expected.
Use the thymeleaf-extras-springsecurity6 library instead.
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
- After Spring Boot 3 update: Manually authenticating user not working
- Multiple user details services for different endpoints
- Spring Security - Authrozation on rest apis
- Exclude specific resource page(s) from Cross-Origin-Resource-Policy same-origin header in Spring WebSecurityConfigurerAdapter
- my Spring CustomSecurityExpressionRoot not working
- @EnableGlobalMethodSecurity is deprecated in the new spring boot 3.0
- Spring Security blocks POST requests despite SecurityConfig
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- How to extend the RequestMatcher in default RequestCache in Spring Security?
- How do I ensure a filter is executed after security filters in the SecurityFilterChain?
- how does spring security order multiple SecurityFilterChain?
- Spring 6 upgrade @PreAuthorize not working with ArgumentResolver
- Why is WebDataBinder used when Jackson is/should be used for deserialization (which breaks correct order of validation/authorization)?
- CORS in Spring Security (Spring Boot 3)
- Spring Security Authentication returns empty authorities
- Should i use ofNullable after checking if the value is null?
- Spring Boot throwing 401 Unauthorized on POST request
- Spring Boot security, always opens login page
- Spring boot 3 Upgrade - java.lang.NoSuchMethodError
- How to save header's value into Spring Security context considering concurrency safety
- Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable
- Consider defining a bean of type 'org.springframework.security.authentication.AuthenticationManager' in your configuration
- StackOverflowError with Unresolvable Circular Reference in AuthenticationManager Bean Definition
- Spring Security 6.3.3 WebFlux CORS
- CORS errors using Spring Boot, Spring Security and React
- Spring Boot + Security + MVC + LDAP AD + SSO
- Why BCryptPasswordEncoder from Spring generate different outputs for same input?
- Spring-Boot behind a network proxy
- Preventing to send requests from different devices