sec:authorize 在百里香叶视图中为 isAuthenticated() 和 isAnonymous() 返回 true [英] sec:authorize returning true for both isAuthenticated() and isAnonymous() in thymeleaf view
问题描述
在我当前的 spring-boot 项目中,在我的 thymeleaf 视图中有一段这样的代码:
<ul><li id="您的账户" sec:authorize="isAnonymous()">... 代码 1 ...<li id="您的账户" sec:authorize="isAuthenticated()">... 代码 2 ...<li th:if="${cart}">...只应同时显示片段 1 或 2 之一.但是现在,当我在浏览器中打开这个视图时,两个区域都被显示出来了.
谁能看出这里出了什么问题?
ps.:我的百里香配置类是这样的:
@Configuration公共课百里香{@豆角,扁豆公共 SpringTemplateEngine templateEngine() {SpringTemplateEngine engine = new SpringTemplateEngine();最终集<ID方言>方言 = 新的 HashSet<IDialect>();方言.add(新的SpringSecurityDialect());engine.setDialects( 方言);返回引擎;}}ps.: 我的 spring-security 配置类是:
@Configuration@ComponentScan(value="com.spring.loja")@EnableGlobalMethodSecurity(prePostEnabled=true)@启用网络安全公共类 SecurityConfig 扩展了 WebSecurityConfigurerAdapter {@自动连线私有 UserDetailsService userDetailsService;@自动连线私人 SocialUserDetailsService socialUserDetailsService;@自动连线私人密码编码器密码编码器;@自动连线私有 AuthenticationManagerBuilder 身份验证;@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.csrf().禁用().authorizeRequests().antMatchers("/b3/**", "/v1.1/**", "/**", "/destaque/**", "/categoria/**").permitAll().anyRequest().authenticated().和().formLogin().loginPage("/登录").loginProcessingUrl("/login").permitAll().usernameParameter("登录").passwordParameter("senha").和().登出().logoutUrl("/注销").logoutSuccessUrl("/").和().apply(new SpringSocialConfigurer());}@覆盖公共无效配置(WebSecurity web)抛出异常{DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();handler.setPermissionEvaluator(new CustomPermissionEvaluator());web.expressionHandler(处理程序);}@覆盖受保护的无效配置(AuthenticationManagerBuilder auth)抛出异常{授权.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);}@豆角,扁豆@覆盖公共 AuthenticationManager authenticationManagerBean() 抛出异常 {返回 auth.getOrBuild();}}我的修复是将 thymeleaf-extras-springsecurity4 添加到我的 Web 应用程序依赖项中.
我有一个父 pom 正在导入 spring boot (1.4.1.RELEASE),其中包括 thymeleaf extras,但是我的孩子 pom(包含 Web 应用程序代码)需要像这样调用特定的 thymeleaf extras 依赖项:
<依赖><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-springsecurity4</artifactId></依赖>瞧……它现在可以工作了.
我试图做的:
<div sec:authorize="hasRole('ROLE_USER')"></div>在 thymeleaf 模板(.html 文件)中,仅在用户登录时显示该 div 及其内容.但是,它一直在显示该 div.
我希望在包含 thymeleaf extras 依赖项之前它会抛出一个错误,说它无法识别 spring 安全标签......它会使调试更容易.
In my current spring-boot project, I have in my view a snippet of code like this in my thymeleaf view:
<div class="account">
<ul>
<li id="your-account" sec:authorize="isAnonymous()">
... code 1 ...
</li>
<li id="your-account" sec:authorize="isAuthenticated()">
... code 2 ...
</li>
<li th:if="${cart}">
...
</li>
</ul>
</div>
where only one of the snippets 1 or 2 should be displayed in the same time. But right now, when I open this view in the browser, the two areas are being displayed.
Anyone can see what's wrong here?
ps.: my thymeleaf configuration class is this:
@Configuration
public class Thymeleaf {
@Bean
public SpringTemplateEngine templateEngine() {
SpringTemplateEngine engine = new SpringTemplateEngine();
final Set<IDialect> dialects = new HashSet<IDialect>();
dialects.add( new SpringSecurityDialect() );
engine.setDialects( dialects );
return engine;
}
}
ps.: my spring-security configuration class is that:
@Configuration
@ComponentScan(value="com.spring.loja")
@EnableGlobalMethodSecurity(prePostEnabled=true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private SocialUserDetailsService socialUserDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private AuthenticationManagerBuilder auth;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/b3/**", "/v1.1/**", "/**", "/destaque/**", "/categoria/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/login").permitAll()
.usernameParameter("login")
.passwordParameter("senha")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.apply(new SpringSocialConfigurer());
}
@Override
public void configure(WebSecurity web) throws Exception {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(new CustomPermissionEvaluator());
web.expressionHandler(handler);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return auth.getOrBuild();
}
}
My fix was to add thymeleaf-extras-springsecurity4 to my web app dependencies.
I had a parent pom that was importing spring boot (1.4.1.RELEASE), which includes the thymeleaf extras, but my child pom (which houses the web app code) needed to call out the specific thymeleaf extras dependency like so:
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
And voilà ... it now works.
I was attempting to do:
<div sec:authorize="hasRole('ROLE_USER')"></div>
in a thymeleaf template (.html file) to only show that div and it's contents when a user was logged in. However, it was showing that div all the time.
I wish it would have thrown an error saying it couldn't recognize the spring security tag prior to including the thymeleaf extras dependency ... it would have made debugging much easier.
这篇关于sec:authorize 在百里香叶视图中为 isAuthenticated() 和 isAnonymous() 返回 true的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
