thymeleaf/thymeleaf-extras-springsecurity thymeleaf/thymeleaf-extras-springsecurity

  • Stars
    star
    468
  • Rank 90,298 (Top 2 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
thymeleaf/thymeleaf-extras-springsecurity
github

thymeleaf

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Thymeleaf "extras" integration module for Spring Security 3.x and 4.x

Thymeleaf - Spring Security integration modules

[Please make sure to select the branch corresponding to the version of Thymeleaf you are using]

Status

This is a Thymeleaf Extras module, not a part of the Thymeleaf core (and as such following its own versioning schema), but fully supported by the Thymeleaf team.

This repository contains 3 projects:

  • thymeleaf-extras-springsecurity5 for integration with Spring Security 5.x
  • thymeleaf-extras-springsecurity6 for integration with Spring Security 6.x

Current versions:

  • Version 3.0.4.RELEASE - for Thymeleaf 3.0 (requires Thymeleaf 3.0.10+)
  • Version 2.1.3.RELEASE - for Thymeleaf 2.1 (requires Thymeleaf 2.1.2+)

License

This software is licensed under the Apache License 2.0.

Requirements (3.0.x)

  • Thymeleaf 3.0.10+
  • Spring Framework version 3.0.x to 5.1.x
  • Spring Security version 3.0.x to 5.1.x
  • Web environment (Spring Security integration cannot work offline). Works with both Spring MVC and Spring WebFlux.

Maven info

  • groupId: org.thymeleaf.extras
  • artifactId:
    • Spring Security 5 integration package: thymeleaf-extras-springsecurity5
    • Spring Security 6 integration package: thymeleaf-extras-springsecurity6

Distribution packages

Distribution packages (binaries + sources + javadoc) can be downloaded from bintray.

Features

This module provides a new dialect called org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect or org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect (depending on the Spring Security version), with default prefix sec. It includes:

  • New expression utility objects:
    • #authentication representing the Spring Security authentication object (an object implementing the org.springframework.security.core.Authentication interface).
    • #authorization: a expression utility object with methods for checking authorization based on expressions, URLs and Access Control Lists.
  • New attributes:
    • sec:authentication="prop" outputs a prop property of the authentication object, similar to the Spring Security <sec:authentication/> JSP tag.
    • sec:authorize="expr" or sec:authorize-expr="expr" renders the element children (tag content) if the authenticated user is authorized to see it according to the specified Spring Security expression.
    • sec:authorize-url="url" renders the element children (tag content) if the authenticated user is authorized to see the specified URL.
    • sec:authorize-acl="object :: permissions" renders the element children (tag content) if the authenticated user has the specified permissions on the specified domain object, according to Spring Source's Access Control List system.

Configuration

In order to use the thymeleaf-extras-springsecurity[5|6] modules in our Spring MVC application (or thymeleaf-extras-springsecurity6 in a Spring WebFlux application), we will first need to configure our application in the usual way for Spring + Thymeleaf applications (TemplateEngine bean, template resolvers, etc.), and add the SpringSecurity dialect to our Template Engine so that we can use the sec:* attributes and special expression utility objects:

<bean id="templateEngine" class="org.thymeleaf.spring5.SpringTemplateEngine">
  ...
  <property name="additionalDialects">
    <set>
      <!-- Note the package would change to 'springsecurity[5]' if you are using that version -->
      <bean class="org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect"/>
    </set>
  </property>
...
</bean>

And that's all!

NOTE: If we are using Thymeleaf in a Spring Boot application, all that will be needed is to add the corresponding Thymeleaf and Spring Security starters to our application as well as the thymeleaf-extras-springsecurity[5|6] dependency, and this dialect will be automatically configured for us.

Using the expression utility objects

The #authentication object can be easily used, like this:

<div th:text="${#authentication.name}">
  The value of the "name" property of the authentication object should appear here.
</div>

The #authorization object can be used in a similar way, normally in th:if or th:unless tags:

<div th:if="${#authorization.expression('hasRole(''ROLE_ADMIN'')')}">
  This will only be displayed if authenticated user has role ROLE_ADMIN.
</div>

The #authorization object is an instance of org.thymeleaf.extras.springsecurity[5|6].auth.Authorization, see this class and its documentation to understand all the methods offered.

Using the attributes

Using the sec:authentication attribute is equivalent to using the #authentication object, but using its own attribute:

<div sec:authentication="name">
  The value of the "name" property of the authentication object should appear here.
</div>

The sec:authorize and sec:authorize-expr attributes are exactly the same. They work equivalently to a th:if that evaluated an #authorization.expression(...) expression, by evaluating a Spring Security Expression:

<div sec:authorize="hasRole('ROLE_ADMIN')">
  This will only be displayed if authenticated user has role ROLE_ADMIN.
</div>

These Spring Security Expressions in sec:authorize attributes are in fact Spring EL expressions evaluated on a SpringSecurity-specific root object containing methods such as hasRole(...), getPrincipal(), etc.

As with normal Spring EL expressions, Thymeleaf allows you to access a series of objects from them including the context variables map (the #vars object). In fact, you are allowed to surround your access expression with ${...} if it makes you feel more comfortable:

<div sec:authorize="${hasRole(#vars.expectedRole)}">
  This will only be displayed if authenticated user has a role computed by the controller.
</div>

Remember that Spring Security sets a special security-oriented object as expression root, which is why you would not be able to access the expectedRole variable directly in the above expression.

Another way of checking authorization is sec:authorize-url, which allows you to check whether a user is authorized to visit a specific URL or not:

<div sec:authorize-url="/admin">
  This will only be displayed if authenticated user can call the "/admin" URL.
</div>

For specifying a specific HTTP method, do:

<div sec:authorize-url="POST /admin">
  This will only be displayed if authenticated user can call the "/admin" URL
  using the POST HTTP method.
</div>

Finally, there is an attribute for checking authorization using Spring Security's Access Control Lists, which needs the specification of a domain object and the permissions defined on it that we are asking for.

<div sec:authorize-acl="${obj} :: '1,3'">
  This will only be displayed if authenticated user has permissions "1" and "3"
  on domain object referenced by context variable "obj".
</div>

In this attribute, both domain object and permission specifications are considered to be thymeleaf Standard Expressions.

Namespace

The namespace for all versions of this dialect is http://www.thymeleaf.org/extras/spring-security.

<html xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

Getting the namespace incorrect won't impact processing of your template. It might however impact your IDE when it comes to things like suggestions/auto-completion in your templates.

More Repositories

1

thymeleaf

Thymeleaf is a modern server-side Java template engine for both web and standalone environments.
Java
2,702
star
2

thymeleaf-spring

Thymeleaf integration module for Spring
Java
421
star
3

thymeleafexamples-gtvg

Good Thymes Virtual Grocery - Companion application for the "Using Thymeleaf" tutorial downloadable at the Thymeleaf website: http://www.thymeleaf.org/documentation.html
Java
287
star
4

thymeleafexamples-layouts

Layouts - Companion application for the "Thymeleaf Layouts" article at the Thymeleaf website: http://www.thymeleaf.org/documentation.html http://www.thymeleaf.org
Java
241
star
5

thymeleafexamples-stsm

Spring Thyme Seedstarter Manager - Companion application for the "Thymeleaf + Spring 3" tutorial downloadable at the Thymeleaf website: http://www.thymeleaf.org/documentation.html
Java
186
star
6

thymeleafexamples-petclinic

Spring PetClinic + Thymeleaf- Companion application for the "Bringing Thymeleaf and Natural Templates to the Spring PetClinic" article at the Thymeleaf website: http://www.thymeleaf.org/doc/articles/petclinic.html
Java
155
star
7

thymeleaf-extras-eclipse-plugin

Thymeleaf integration plugin for the Eclipse IDE
Groovy
132
star
8

thymeleafexamples-springmail

SpringMail - Companion application for the "Rich HTML email in Spring with Thymeleaf" article at the Thymeleaf website: http://www.thymeleaf.org/doc/articles/springmail.html
Java
112
star
9

thymeleaf-extras-java8time

Thymeleaf "extras" dialect for formatting and creating Java 8 Time API objects
Java
107
star
10

thymeleaf-testing

Thymeleaf testing infrastructure
Java
76
star
11

thymeleafexamples-springsecurity

SpringSecurity - Companion application for the "Login and error pages using Thymeleaf and Spring Security" article at the Thymeleaf website: http://www.thymeleaf.org/springsecurity.html
Java
65
star
12

thymeleaf-docs

Thymeleaf documentation
CSS
43
star
13

thymeleaf-itutorial

Thymeleaf interactive tutorial
HTML
43
star
14

thymeleaf-extras-tiles2

Thymeleaf integration with Apache Tiles 2.x
Java
35
star
15

thymeleafsandbox-biglist-reactive

Sandbox application testing the render of large amounts of markup using Thymeleaf with Spring Web Reactive
Java
31
star
16

thymeleaf-tests

Thymeleaf test suite
Java
30
star
17

thymeleaf-dist

Thymeleaf artifacts for distribution files, documentation and website management
HTML
26
star
18

thymeleafexamples-extrathyme

ExtraThyme - Companion application for the "Extending Thymeleaf" tutorial downloadable at the Thymeleaf website: http://www.thymeleaf.org/documentation.html
Java
24
star
19

thymeleaf-extras-conditionalcomments

Thymeleaf "extras" dialect for correctly processing IE conditional comments (for Thymeleaf 2.x)
Java
20
star
20

thymeleafexamples-thvsjsp

Thymeleaf vs JSP - Companion application for the "Spring MVC view layer: Thymeleaf vs. JSP" article at the Thymeleaf website: http://www.thymeleaf.org/thvsjsp.html
Java
17
star
21

thymeleaf.github.io

Thymeleaf website
HTML
13
star
22

thymeleafsandbox-sse-webflux

SSE (Server-Sent Events) example application using Spring 5.0, Spring WebFlux and Spring Boot 2.0 Edit Add topics
Java
13
star
23

thymeleafsandbox-stsm-reactive

Version of the STSM example application using Spring 5.0, Spring Web Reactive and Spring Boot 2.0
Java
8
star
24

thymeleafexamples-sayhello

Say Hello! - Companion application for the "Say Hello! Extending Thymeleaf in 5 minutes" article at the Thymeleaf website: http://www.thymeleaf.org/sayhelloextendingthymeleaf5minutes.html
Java
7
star
25

thymeleaf-tools

Misc tools for helping thymeleaf development
Java
5
star
26

thymeleafsandbox-springsecurity-mvc

Java
4
star
27

thymeleafsandbox-stsm-mvc

Java
3
star
28

thymeleafsandbox-biglist-mvc

Sandbox application testing the render of large amounts of markup using Thymeleaf with Spring Web MVC
Java
3
star
29

thymeleaf-benchmarks

Thymeleaf Development Benchmarks
Java
3
star
30

thymeleafsandbox-springsecurity-reactive

Java
2
star
31

thymeleafsandbox-springjsp

Spring + JSP sandbox application. Only for internal development use by the Thymeleaf team.
Java
1
star