Themeleaf and Spring security does not work

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Themeleaf and Spring security does not work

Andy
This post was updated on .
Hi,

I am using themeleaf for the first time. I struggling to run a simple page with authorization.expression on it.

I have added following in my dispatcherServlet config XML

<bean id="templateResolver"
        class="org.thymeleaf.templateresolver.ServletContextTemplateResolver">
    <property name="prefix" value="/WEB-INF/pages/view/" />
    <property name="suffix" value=".html" />
    <property name="templateMode" value="HTML5" />
   
   
    <property name="cacheable" value="false" />
  </bean>
 
  <bean id="templateEngine"
        class="org.thymeleaf.spring3.SpringTemplateEngine">
        <property name="templateResolver" ref="templateResolver" />
        <property name="additionalDialects"> 
                    <set> 
                      <bean class="org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect"/> 
                    </set> 
            </property> 
     
  </bean>
   
  <bean class="org.thymeleaf.spring3.view.ThymeleafViewResolver">
    <property name="templateEngine" ref="templateEngine" />
    <property name="viewNames" value="*" />
    <property name="order" value="1" />
  </bean>   


My Spring security context XML -
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:global-method-security secured-annotations="enabled" />
   
    <security:http auto-config="true"  use-expressions="true">
       
        <security:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
       
        <security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/**" access="ROLE_USER" />

       
        <security:form-login login-page="/public/login.html"
                             login-processing-url="/loginProcess"
                             default-target-url="/index.jsp"
                             authentication-failure-url="/login.html?login_error=1" />
        <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" />
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="MyUserDetailsService"/>
    </security:authentication-manager>

</beans>




My HTML contains -
<li th:if="${#authorization.expression('hasRole(''ROLE_USER'')')}"> .........


Following exception is thrown at runtime -
    Exception evaluating SpringEL expression: "#authorization.expression('hasRole(''ROLE_USER'')')" (templates/layout:56)

Caused by:

org.thymeleaf.exceptions.TemplateProcessingException: Exception evaluating SpringEL expression: "#authorization.expression('hasRole(''ROLE_USER'')')" (templates/layout:56)
        at org.thymeleaf.spring3.expression.SpelVariableExpressionEvaluator.evaluate(SpelVariableExpressionEvaluator.java:161)
        at org.thymeleaf.standard.expression.VariableExpression.executeVariable(VariableExpression.java:154)
        at org.thymeleaf.standard.expression.SimpleExpression.executeSimple(SimpleExpression.java:59)
        at org.thymeleaf.standard.expression.Expression.execute(Expression.java:103)
        at org.thymeleaf.standard.expression.Expression.execute(Expression.java:133)
        at org.thymeleaf.standard.expression.Expression.execute(Expression.java:120)
        at org.thymeleaf.standard.processor.attr.AbstractStandardConditionalVisibilityAttrProcessor.isVisible(AbstractStandardConditionalVisibilityAttrProcessor.java:66)
        at org.thymeleaf.processor.attr.AbstractConditionalVisibilityAttrProcessor.processAttribute(AbstractConditionalVisibilityAttrProcessor.java:59)
        at org.thymeleaf.processor.attr.AbstractAttrProcessor.doProcess(AbstractAttrProcessor.java:87)
        at org.thymeleaf.processor.AbstractProcessor.process(AbstractProcessor.java:212)
        ............................................

Please help I am stuck on this and not able to go further.

I have following jars related to Themeleaf
1. thymeleaf-2.1.4.RELEASE.jar
2. thymeleaf-spring3-2.1.4.RELEASE.jar
3. unbescape-1.1.0.RELEASE.jar
4. ognl-3.0.9.jar
5. thymeleaf-extras-springsecurity3-2.1.1.RELEASE.jar
6. slf4j-api-1.6.6.jar
7. slf4j-log4j12-1.6.6.jar
 
Reply | Threaded
Open this post in threaded view
|

Re: Themeleaf and Spring security does not work

Zemi
Administrator
Hello,

I don't know why you have thymeleaf-spring4-2.1.4.RELEASE.jar, you should have that library, assuming that you are using Spring 3.

Regards,
   Zemi
Reply | Threaded
Open this post in threaded view
|

Re: Themeleaf and Spring security does not work

Andy
Hi Zemi,

I tried switching between Spring 3 and 4 to check if any of that works and that is why included both. but this should not cause any issues right? After removing Spring 4 jar I still get the same exception.

Thanks,
Andy
Reply | Threaded
Open this post in threaded view
|

Re: Themeleaf and Spring security does not work

Zemi
Administrator
Sorry, I cannot spot any error in your code.

Do the following work for you?

 th:if="${#httpServletRequest.isUserInRole('ROLE_USER')}"

(just to confirm that your authorization system is properly configured).

Regards,
  Zemi

Reply | Threaded
Open this post in threaded view
|

Re: Themeleaf and Spring security does not work

caioquirino
This post was updated on .
Hi Zemi, the following works great for me:
th:if="${#httpServletRequest.isUserInRole('ROLE_USER')}"

But the
<div sec:authorize="hasRole('PERMISSION_ACCESS_SITE')">...</div>
doesn't works. It always returns false.

I'm using Spring Boot with UserDetailsService.
Reply | Threaded
Open this post in threaded view
|

Re: Themeleaf and Spring security does not work

caioquirino
I've found the answer:

My role wasn't named with the ROLE_ prefix.
I need to use hasAuthority instead if i can't change all permissions's prefix:
<div sec:authorize="hasAuthority('PERMISSION_ACCESS_SITE')">...</div>

:D