Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security hasRole() not working

I'm facing a problem when using Spring Security && Thymeleaf, specifically when trying to use the hasRole expression. The 'admin' user has a role 'ADMIN' but hasRole('ADMIN') resolves to false anyway I try it

My html:

1.<div sec:authentication="name"></div> <!-- works fine --> 2.<div sec:authentication="principal.authorities"></div> <!-- works fine -->  3.<div  sec:authorize="isAuthenticated()" >true</div> <!-- works fine --> 4.<span th:text="${#authorization.expression('isAuthenticated()')}"></span> <!-- works fine -->  5.<div th:text="${#vars.role_admin}"></div> <!--Works fine --> 6.<div  sec:authorize="${hasRole('ADMIN')}" > IS ADMIN </div> <!-- Doesnt work --> 7.<div  sec:authorize="${hasRole(#vars.role_admin)}" > IS ADMIN </div> <!-- Doesnt work --> 8.<div th:text="${#authorization.expression('hasRole(''ADMIN'')')} "></div> <!-- Doesnt work --> 9.<div th:text="${#authorization.expression('hasRole(#vars.role_admin)')}"></div> <!-- Doesnt work --> 

results in:

1.admin 2.[ADMIN] 3.true 4.true 5.ADMIN 6."prints nothing because hasRole('ADMIN') resolves to false" 7."prints nothing because hasRole(#vars.role_admin) resolves to false" 8.false 9.false 

I have enabled use-expressions in my security.xml file

<security:http auto-config="true" use-expressions="true"> 

And also included the SpringSecurityDialect in my config

<bean id="templateEngine"       class="org.thymeleaf.spring4.SpringTemplateEngine">     <property name="templateResolver" ref="templateResolver" />       <property name="additionalDialects">         <set>             <bean class="org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect" />         </set>     </property>       </bean> 

All the necessary dependencies in my pom.xml file

<!--Spring security-->      <dependency>         <groupId>org.springframework.security</groupId>         <artifactId>spring-security-core</artifactId>         <version>4.0.1.RELEASE</version>     </dependency>     <dependency>         <groupId>org.springframework.security</groupId>         <artifactId>spring-security-web</artifactId>         <version>4.0.1.RELEASE</version>     </dependency>     <dependency>         <groupId>org.springframework.security</groupId>         <artifactId>spring-security-config</artifactId>         <version>4.0.1.RELEASE</version>     </dependency>                  <!--Thymeleaf Spring Security-->     <dependency>         <groupId>org.thymeleaf.extras</groupId>         <artifactId>thymeleaf-extras-springsecurity4</artifactId>         <version>2.1.2.RELEASE</version>         <scope>compile</scope>     </dependency> 

Role.java

@Entity @Table(name = "roles")      public class Role implements Serializable {              @Id         @Enumerated(EnumType.STRING)         private RoleType name;         //... getters, setters     } 

RoleType

public enum RoleType {      ADMIN  } 

And Userhas a Set of Roles

Why is hasRole() not working?

I appreciate your help, thank you

Workaround

th:if="${#strings.contains(#authentication.principal.authorities,'ADMIN')}"

like image 735
Xipo Avatar asked Jun 11 '15 17:06

Xipo


People also ask

How does hasRole works in Spring Security?

By default, Spring Security uses a thread-local copy of this class. This means each request in our application has its security context that contains details of the user making the request. To use it, we simply call the static methods in SecurityContextHolder: Authentication auth = SecurityContextHolder.

How do I enable HTTP Security in spring?

The first thing you need to do is add Spring Security to the classpath. The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security's web security support and provide the Spring MVC integration.

How do I enable security in spring boot?

For adding a Spring Boot Security to your Spring Boot application, we need to add the Spring Boot Starter Security dependency in our build configuration file. Maven users can add the following dependency in the pom. xml file. Gradle users can add the following dependency in the build.


1 Answers

Try use hasAuthority instead hasRole inside HTML-tag.

sec:authorize="hasAuthority('ADMIN')" 
like image 63
Dmitry Stolbov Avatar answered Sep 19 '22 17:09

Dmitry Stolbov