upgrading spring & thyme leaf broke my authorize

Question

I am upgrading my Spring Boot app from 1.3.5 to 1.4.4 (eventually 1.5.x) and I noticed my Thymeleaf menu items are now broken. Here is how I have them:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

...
<ul class="nav pull-right">
  <li sec:authorize="${!isAuthenticated()}">
     <div>
          <span></span>
     </div>
  </li>
  <li sec:authorize="${isAuthenticated()}">
     <span th:inline="text">Logged in as [[${#httpServletRequest.remoteUser}]</span>
   </li>
</ul>

I then made the following changes

compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity4:2.1.2.RELEASE')

to

compile group: 'org.springframework.boot', name: 'spring-boot-starter-thymeleaf', version: '1.4.4.RELEASE'
compile group: 'org.thymeleaf.extras', name: 'thymeleaf-extras-springsecurity4', version: '3.0.2.RELEASE'
compile group: 'org.thymeleaf', name: 'thymeleaf-spring4', version: '3.0.9.RELEASE'

However, the the authorized element is being displayed as if the security is being bypassed. Did something change that the sec:authorize works the same way? I looked at the Thymeleaf documentation and I am not seeing it. I know the user being authenticated has the proper roles and is authenticated.

Update:

For what its worth, I tried updating the bootstrap and jquery versions to:

<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"/>
    <script src="https://use.fontawesome.com/releases/v5.0.6/js/all.js"></script>
    <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>

and have this in my html

xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"

But that still doesn't fix the issue that the wrong item is being shown.

Answer 1

Try sec:authorize="isAuthenticated()" instead of sec:authorize="${isAuthenticated()}"

Spring Boot 1.x uses thymeleaf 2, SB 2.x uses thymeleaf 3.

You need to do additional configuration if you want to use thymeleaf 3 with SB 1.x: https://github.com/spring-projects/spring-boot/issues/4393