sec:authorize and sec:authentication annotations don't work

spring-mvc spring-security thymeleaf
Dušan Rychnovský picture Dušan Rychnovský · Aug 19, 2013 · Viewed 23.5k times · Source

I have a Spring + Thymeleaf project with the following view code.

<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring3-3.dtd">
<html
        xmlns="http://www.w3.org/1999/xhtml"
        xmlns:th="http://www.thymeleaf.org"
        xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">

<head>
    <title>Contacts</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head>
<body>
<div id="content">
    <h1>Welcome to the site!</h1>
    <p th:if="${loginError}">Wrong user or password</p>
    <form th:action="@{/j_spring_security_check}" method="post">
        <label for="j_username">Email address</label>:
        <input type="text" id="j_username" name="j_username"/> <br/>
        <label for="j_password">Password</label>:
        <input type="password" id="j_password" name="j_password"/> <br/>
        <input type="submit" value="Log in"/>
    </form>
</div>

<div sec:authorize="isAuthenticated()">
    User: <span sec:authentication="name">miquel</span>
</div>
</body>
</html>

The sec:authorize and sec:authentication attributes don't work as expected - the div is always shown, even if no user is logged in, and the span always reads "miquel".

Follows a relevant snippet from my controller class. 

@RequestMapping(value = "/welcome.html") 
public String wellcome() { 
    Authentication auth = SecurityContextHolder.getContext().getAuthentication(); 
    System.out.println("username: " + auth.getName()); 

    return "home"; 
}

The println statement works as expected - if no user is logged in, it prints "anonymousUser", otherwise the username.

What am I doing wrong?

Answer

Dušan Rychnovsk&#253; picture Dušan Rychnovský · Aug 19, 2013

After comparing my application closely to the Thymeleaf & Spring Security demo applicaiton, I discovered the source of the error.

Apparently, in order for Thymeleaf to process the sec:authorize and sec:authentication attributes, you need to register SpringSecurityDialect as an additional dialect of the template engine bean.

<bean id="templateEngine" class="org.thymeleaf.spring3.SpringTemplateEngine">
    <property name="templateResolver" ref="templateResolver" />
    <property name="additionalDialects">
        <set>
            <bean class="org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect" />
        </set>
    </property>
</bean>

This is surprising as there is no mention of that fact on the related Thymeleaf documentation page. I hope this helps others who will face the same issue in future.

Related questions

Spring Security hasRole() not working

I'm facing a problem when using Spring Security && Thymeleaf, specifically when trying to use the hasRole expression. The 'admin' user has a role 'ADMIN' but hasRole('ADMIN') resolves to false anyway I try it My html: 1.<div …

Read More
Simple example of Spring Security with Thymeleaf

hi I'm trying to follow a simple example about doing a simple login form page that i found in this page http://docs.spring.io/autorepo/docs/spring-security/4.0.x/guides/form.html the problem is that i´m getting this …

Read More
Thymeleaf with Spring Security - how to check if user is logged in or not?

I'm using Spring Boot with Thymeleaf and Spring Security. I've got a simple view with a login link. When the user logs in, I'd like to change login link to logout link. I tried: <div sec:authorize="#{isAuthenticated()}"> &…

Read More