sec:authorize not working as expected using Thymeleaf in a Spring boot application

0
votes

I am trying to add a link to a new row in a table , this link should only be accessible to the ADMIN Role.

spring boot : 1.4.0.RELEASE & thymeleaf-extras-springsecurity4.version : 2.1.2.RELEASE

 <sec:authorize access="hasRole('ROLE_ADMIN')">
    <tr>
        <td>...</td>
        <td>...</td>
    </tr>
 </sec:authorize>

Namespaces used are : 

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

WebSecurityConfigAdapter:

http.authorizeRequests()
        .antMatchers("/api/systemuser/*").access("hasRole('ROLE_ADMIN')")
        //.antMatchers("/*").access("hasRole('ROLE_ADMIN')")
        //.antMatchers("/ui/report/win").access("hasRole('ROLE_USER')")
        //.antMatchers("/userError").access("hasRole('ROLE_ERROR')")
        .antMatchers("/swagger*/**", "/about", "/").authenticated()
        .anyRequest().authenticated()
        .and()
        .httpBasic()
        .authenticationEntryPoint(authenticationEntryPoint)
;
http.csrf().disable();

But with this code , even users without ADMIN privileges are able to view the row of the table .

Can someone please help me with the way forward?

1
spring-bootspring-securitythymeleaf
Are you sure to add the right roles to the user during you implementation of ( AuthenticationProvider.authenticate(...) ? - daN
Yes,I am sure about it - Jayesh Mulwani
You can try removing the call to.access() and use the hasRole("ADMIN") method directly. You shouldn't need the ROLE_ prefix anymore either. - vphilipnyc
He needs to show/hide an html element, even removeing the access() he still has the same necessity. - daN

1 Answers

0
votes

It should works.. I'm pretty sure that you are adding the ROLE_ADMIN also to this user. Try to debug the controller that renders the jsp where you are using the tag, tehn obtain your principle object from the Authentication

  authentication.getPrincipal()

and traverse the object until you don t find the GrantedAuthority, there check if the user has the ROLE_ADMIN