sec:authorize="hasRole('ROLE_ADMIN')" doesn't work

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

sec:authorize="hasRole('ROLE_ADMIN')" doesn't work

janejc
I'm trying to integrate Thymeleaf with Spring Security (I've been developing a app with Thymeleaf and SpringMVC that works ok).

The problem is that I want to use  <div sec:authorize="hasRole('ROLE_X')">Text</div> to show a different div depeding on users role.

This is my spring-security configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-4.2.xsd">



<http auto-config="true" use-expressions="true">  
	<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
		<csrf/>
</http>

<authentication-manager>
<authentication-provider>
	<jdbc-user-service data-source-ref="dataSource"
	  users-by-username-query=
	    "select username,password, enabled from users where username=?"
	  authorities-by-username-query=
	    "select username, role from user_roles where username =?  " />
	    <password-encoder ref="passwordEncoder" />
	</authentication-provider>
</authentication-manager>

<beans:bean id ="passwordEncoder" 
class = "org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method = "getInstance" />



<beans:bean id="templateEngine" class="org.thymeleaf.spring4.SpringTemplateEngine">
  <beans:property name="additionalDialects">
    <beans:set>
      <beans:bean class="org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect"/>
    </beans:set>
  </beans:property>
</beans:bean>

</beans:beans>

And this is the content of my welcome page:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">


<head>      
    <title>Welcome</title>

</head>

<body

    <div sec:authorize="hasRole('ROLE_USER')">Text visible to user.</div>
    <div sec:authorize="hasRole('ROLE_ADMIN')">Text visible to admin.</div>
        <div sec:authorize="isAuthenticated()">
            Text visible only to authenticated users.
        </div>

</body>

</html>

The problem is that ALL divs are shown to ALL users.

My dependencies (I only show the dependencies related to Thymeleaf and Spring Security (I'm using Spring 4.3.7):
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>5.0.0.RELEASE</version>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>5.0.0.RELEASE</version>
</dependency>

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity4</artifactId>
    <version>3.0.3.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>5.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf</artifactId>
    <version>3.0.9.RELEASE</version>
</dependency>
    <dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf-spring4</artifactId>
    <version>3.0.9.RELEASE</version>
</dependency>

Can you help me, please?