sec:authorize returning true for both isAuthenticated() and isAnonymous() in thymeleaf view
在我当前的spring-boot项目中,我在thymeleaf视图中有如下代码片段:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | <ul> <li id="your-account" sec:authorize="isAnonymous()"> ... code 1 ... </li> <li id="your-account" sec:authorize="isAuthenticated()"> ... code 2 ... </li> <li th:if="${cart}"> ... </li> </ul> |
其中片段1或2只能同时显示。 但是现在,当我在浏览器中打开此视图时,将显示两个区域。
任何人都可以看到这里有什么问题吗?
ps .:我的thymeleaf配置类是这样的:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | @Configuration public class Thymeleaf { @Bean public SpringTemplateEngine templateEngine() { SpringTemplateEngine engine = new SpringTemplateEngine(); final Set<IDialect> dialects = new HashSet<IDialect>(); dialects.add( new SpringSecurityDialect() ); engine.setDialects( dialects ); return engine; } } |
ps .:我的spring-security配置类是:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | @Configuration @ComponentScan(value="com.spring.loja") @EnableGlobalMethodSecurity(prePostEnabled=true) @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Autowired private SocialUserDetailsService socialUserDetailsService; @Autowired private PasswordEncoder passwordEncoder; @Autowired private AuthenticationManagerBuilder auth; @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .disable() .authorizeRequests() .antMatchers("/b3/**","/v1.1/**","/**","/destaque/**","/categoria/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/signin") .loginProcessingUrl("/login").permitAll() .usernameParameter("login") .passwordParameter("senha") .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl("/") .and() .apply(new SpringSocialConfigurer()); } @Override public void configure(WebSecurity web) throws Exception { DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler(); handler.setPermissionEvaluator(new CustomPermissionEvaluator()); web.expressionHandler(handler); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userDetailsService) .passwordEncoder(passwordEncoder); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return auth.getOrBuild(); } } |
我的解决方法是将
我有一个父pom正在导入spring boot(1.4.1.RELEASE),其中包括thymeleaf Extras,但是我的子pom(包含Web应用程序代码)需要像下面这样调用特定的thymeleaf Extras依赖项:
1 2 3 4 | <dependency> <groupId>org.thymeleaf.extras</groupId> thymeleaf-extras-springsecurity4</artifactId> </dependency> |
瞧……现在可以了。
我正在尝试做:
1 |
在thymeleaf模板(.html文件)中仅显示该div及其在用户登录时的内容。但是,它一直在显示该div。
我希望它会引发一个错误,说它在包含thymeleaf Extras依赖项之前无法识别spring安全标签……它将使调试变得更加容易。
这可能是由于thymeleaf-extras-springsecurity4构件在类路径中丢失。我遇到了这个问题,发现(拔出我的大部分头发后)由于罐子不在,SpringSecurity方言没有加载百里香。通过以下方式添加了此依赖关系:
1 2 3 4 | <dependency> <groupId>org.thymeleaf.extras</groupId> thymeleaf-extras-springsecurity4</artifactId> </dependency> |
希望这可以帮助。参见https://stackoverflow.com/a/31622977/4091838
尝试了上述所有方法,但对我不起作用,但是对其他人可能有用。对我有用的是以下内容:
1 2 3 4 5 6 7 8 | <properties> <thymeleaf.version>3.0.9.RELEASE</thymeleaf.version> <thymeleaf-layout-dialect.version>2.2.2</thymeleaf-layout-dialect.version> <thymeleaf-extras-springsecurity4.version>3.0.2.RELEASE</thymeleaf-extras-springsecurity4.version> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <java.version>1.8</java.version> </properties> |
这是我的百里香叶的配置设置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | @Bean public SpringTemplateEngine templateEngine() { SpringTemplateEngine templateEngine = new SpringTemplateEngine(); templateEngine.setTemplateResolver(thymeleafTemplateResolver()); templateEngine.setEnableSpringELCompiler(true); templateEngine.addDialect(new SpringSecurityDialect()); return templateEngine; } @Bean public SpringResourceTemplateResolver thymeleafTemplateResolver() { SpringResourceTemplateResolver templateResolver = new SpringResourceTemplateResolver(); templateResolver.setPrefix("classpath:templates/"); templateResolver.setSuffix(".html"); templateResolver.setCacheable(false); templateResolver.setTemplateMode(TemplateMode.HTML); return templateResolver; } @Bean public ThymeleafViewResolver thymeleafViewResolver() { ThymeleafViewResolver viewResolver = new ThymeleafViewResolver(); viewResolver.setTemplateEngine(templateEngine()); viewResolver.setCharacterEncoding("UTF-8"); return viewResolver; } |
在您的配置中,您已将所有URL设置为具有匿名访问权限
1 | .antMatchers("/b3/**","/v1.1/**","/**","/destaque/**","/categoria/**").permitAll() |
试试这个
1 2 3 | .antMatchers("/b3/**","/v1.1/**","/**","/destaque/**","/categoria/**") .anyRequest().authenticated() .and() |
由于使用了allowAll(),匿名用户和身份验证的用户都可以访问所有URL,因此这两个URL均被显示。尝试切换外壳以避免此类陷阱。
就我而言
1 | spring.jpa.hibernate.ddl-auto=auto |
至
1 | spring.jpa.hibernate.ddl-auto=none |
解决方案是在application.properties文件中。