Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
858 views
in Technique[技术] by (71.8m points)

spring - sec:authorize returning true for both isAuthenticated() and isAnonymous() in thymeleaf view

In my current spring-boot project, I have in my view a snippet of code like this in my thymeleaf view:

<div class="account">
    <ul>
        <li id="your-account" sec:authorize="isAnonymous()">
            ... code 1 ...
        </li>
        <li id="your-account" sec:authorize="isAuthenticated()">
            ... code 2 ...
        </li>
        <li th:if="${cart}">
            ...
        </li>
    </ul>
</div>

where only one of the snippets 1 or 2 should be displayed in the same time. But right now, when I open this view in the browser, the two areas are being displayed.

Anyone can see what's wrong here?

ps.: my thymeleaf configuration class is this:

@Configuration
public class Thymeleaf {

  @Bean
  public SpringTemplateEngine templateEngine() {
    SpringTemplateEngine engine  =  new SpringTemplateEngine();

    final Set<IDialect> dialects = new HashSet<IDialect>();
    dialects.add( new SpringSecurityDialect() );
    engine.setDialects( dialects );

    return engine;
  }

}

ps.: my spring-security configuration class is that:

@Configuration
@ComponentScan(value="com.spring.loja")
@EnableGlobalMethodSecurity(prePostEnabled=true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private UserDetailsService userDetailsService;

        @Autowired
        private SocialUserDetailsService socialUserDetailsService;

        @Autowired
        private PasswordEncoder passwordEncoder;

        @Autowired
      private AuthenticationManagerBuilder auth;

        @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
                .disable()
            .authorizeRequests()
                .antMatchers("/b3/**", "/v1.1/**", "/**", "/destaque/**", "/categoria/**").permitAll()
                .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/signin")
                    .loginProcessingUrl("/login").permitAll()
                    .usernameParameter("login")
                    .passwordParameter("senha")
                    .and()
                .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/")
                    .and()
                .apply(new SpringSocialConfigurer());
    }

        @Override
        public void configure(WebSecurity web) throws Exception {
            DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
        handler.setPermissionEvaluator(new CustomPermissionEvaluator());
        web.expressionHandler(handler);
    }

        @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .userDetailsService(userDetailsService)
            .passwordEncoder(passwordEncoder);
    }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return auth.getOrBuild();
        }
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

My fix was to add thymeleaf-extras-springsecurity4 to my web app dependencies.

I had a parent pom that was importing spring boot (1.4.1.RELEASE), which includes the thymeleaf extras, but my child pom (which houses the web app code) needed to call out the specific thymeleaf extras dependency like so:

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>

And voilà ... it now works.

I was attempting to do:

<div sec:authorize="hasRole('ROLE_USER')"></div>

in a thymeleaf template (.html file) to only show that div and it's contents when a user was logged in. However, it was showing that div all the time.

I wish it would have thrown an error saying it couldn't recognize the spring security tag prior to including the thymeleaf extras dependency ... it would have made debugging much easier.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...