I'm facing a problem when using Spring Security && Thymeleaf, specifically when trying to use the hasRole expression. The 'admin' user has a role 'ADMIN' but hasRole('ADMIN')
resolves to false anyway I try it
My html:
1.<div sec:authentication="name"></div> <!-- works fine --> 2.<div sec:authentication="principal.authorities"></div> <!-- works fine --> 3.<div sec:authorize="isAuthenticated()" >true</div> <!-- works fine --> 4.<span th:text="${#authorization.expression('isAuthenticated()')}"></span> <!-- works fine --> 5.<div th:text="${#vars.role_admin}"></div> <!--Works fine --> 6.<div sec:authorize="${hasRole('ADMIN')}" > IS ADMIN </div> <!-- Doesnt work --> 7.<div sec:authorize="${hasRole(#vars.role_admin)}" > IS ADMIN </div> <!-- Doesnt work --> 8.<div th:text="${#authorization.expression('hasRole(''ADMIN'')')} "></div> <!-- Doesnt work --> 9.<div th:text="${#authorization.expression('hasRole(#vars.role_admin)')}"></div> <!-- Doesnt work -->
results in:
1.admin 2.[ADMIN] 3.true 4.true 5.ADMIN 6."prints nothing because hasRole('ADMIN') resolves to false" 7."prints nothing because hasRole(#vars.role_admin) resolves to false" 8.false 9.false
I have enabled use-expressions in my security.xml file
<security:http auto-config="true" use-expressions="true">
And also included the SpringSecurityDialect in my config
<bean id="templateEngine" class="org.thymeleaf.spring4.SpringTemplateEngine"> <property name="templateResolver" ref="templateResolver" /> <property name="additionalDialects"> <set> <bean class="org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect" /> </set> </property> </bean>
All the necessary dependencies in my pom.xml file
<!--Spring security--> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>4.0.1.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>4.0.1.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>4.0.1.RELEASE</version> </dependency> <!--Thymeleaf Spring Security--> <dependency> <groupId>org.thymeleaf.extras</groupId> <artifactId>thymeleaf-extras-springsecurity4</artifactId> <version>2.1.2.RELEASE</version> <scope>compile</scope> </dependency>
Role.java
@Entity @Table(name = "roles") public class Role implements Serializable { @Id @Enumerated(EnumType.STRING) private RoleType name; //... getters, setters }
RoleType
public enum RoleType { ADMIN }
And User
has a Set of Role
s
Why is hasRole()
not working?
I appreciate your help, thank you
th:if="${#strings.contains(#authentication.principal.authorities,'ADMIN')}"
By default, Spring Security uses a thread-local copy of this class. This means each request in our application has its security context that contains details of the user making the request. To use it, we simply call the static methods in SecurityContextHolder: Authentication auth = SecurityContextHolder.
The first thing you need to do is add Spring Security to the classpath. The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security's web security support and provide the Spring MVC integration.
For adding a Spring Boot Security to your Spring Boot application, we need to add the Spring Boot Starter Security dependency in our build configuration file. Maven users can add the following dependency in the pom. xml file. Gradle users can add the following dependency in the build.
Try use hasAuthority
instead hasRole
inside HTML-tag.
sec:authorize="hasAuthority('ADMIN')"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With