Java – Links cannot be hidden based on security

Links cannot be hidden based on security… here is a solution to the problem.

Links cannot be hidden based on security

I’m trying to show the link only when the user role is allowed.
But the link is not hidden, everything about any character will be revealed.

Seeing so many similar queries here, but none of them worked. Please tell me what I’m missing.

Disposition.

@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter{

private final String USER = "USER";
    private final String ADMIN = "ADMIN";

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").hasAnyRole(USER, ADMIN)
                .antMatchers("/closed").hasRole(ADMIN).and()
                .formLogin().defaultSuccessUrl("/");
    }

@Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("jane").password(passwordEncoder().encode("qwe")).roles(ADMIN, USER).and()
                .withUser("john").password(passwordEncoder().encode("qwe")).roles(USER);
    }

@Bean
    public BCryptPasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}

POM

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>

HTML

<a th:href="@{/closed}">Go to closed</a>

<br/><br/>

<form th:action="@{/logout}" method="post">
    <input type="submit" value="Log out">
</form>

<br/>

<h2>Welcome</h2>
<p>Spring Security Thymeleaf</p>
<div sec:authorize="hasRole('USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ADMIN')">Text visible to admin.</div>
<div sec:authorize="isAuthenticated()">
    Text visible only to authenticated users.
</div>
Authenticated username:
<div sec:authentication="name"></div>
Authenticated user roles:
<div sec:authentication="principal.authorities"></div>

Everything above will show up for Jane, even if she doesn’t have admin access. In addition, even her role and username are not displayed.

I’ve also tried configuring the dialect as follows, and it makes no difference.

@Configuration
public class LeafConfig {

@Bean
    public SpringSecurityDialect springSecurityDialect(){
        return new SpringSecurityDialect();
    }
}

Here’s what is shown for Jane or John. There is no difference:

Welcome
Spring Security Thymeleaf

Text visible to user.
Text visible to admin.
Text visible only to authenticated users.
Authenticated username:
Authenticated user roles:

Solution

Since you are using the Spring Security add-on, you can try using ${#authorization.expression('hasRole(''ROLE_ADMIN'')} instead of sec:authorization

<div th:if="${#authorization.expression('hasRole(''USER'')'}">Text visible to user.</div>
<div th:if="${#authorization.expression('hasRole(''ADMIN'')'}">Text visible to admin.</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
    Text visible only to authenticated users.
</div>

If you use permissions instead of roles, the following code resolves the issue.

<div th:if="${#authorization.expression('hasAuthority(''ADMIN'')')}">ADMIN</div>
     <div th:if="${#authorization.expression('hasAuthority(''USER'')')}">USER</div>
     <div th:if="${#authorization.expression('isAuthenticated()')}">
         Text visible only to authenticated users.
     </div>
</div>

Regarding your configuration

, change your org.thymeleaf.extras to thymeleaf-extras-springsecurity5 in your .pom and you need to add Spring Dialect @Bean to your configuration.

POM

<dependencies>
    ...
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>
    ...
</dependencies>

Leaf configuration

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;

@Configuration
public class LeafConfig {

@Bean
    public SpringSecurityDialect springSecurityDialect(){
        return new SpringSecurityDialect();
    }

}

After these changes, everything should work as expected.

Related Problems and Solutions

  1. Unable to parse setSpanSizeLookup for gridviewlayoutmanager
  2. Strange problem with Spring RestTemplate in Android applications
  3. Configure the obfuscator to exclude library jars that extend android.content.Context
  4. SSL handshake cannot connect to Google from the Android client
  5. How to use Sockets to transfer files from a server to Android Mobile
  6. Where can I find Java libraries for visual effects and image processing?
  7. When designing an asynchronous Java API, how do you ensure that the entire CompletableFuture chain is executed by the internal thread pool?
  8. Why do JAVA_HOME environment variable values point to the SDK directory instead of bin?