I am using Spring 4 and Thymeleaf In my index.xhtml page i wrote:

  <!DOCTYPE html>
  <html xmlns="http://www.w3.org/1999/xhtml"

  <div sec:authorize="hasRole('ROLE_ADMIN')">
      You are authorized user! Hi, <span sec:authentication="name">Username</span>
  <div sec:authorize="isAnonymous()">
       You are NOT authorized user!

As a result I see:

You are authorized user! Hi, Username You are NOT authorized user!

i.e. Spring Security doesn't work

My build.gradle (some dependecies) are:

compile 'org.thymeleaf:thymeleaf-spring4:2.1.2.RELEASE'
compile 'org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE'
compile 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:1.2.3'
compile 'org.springframework.security:spring-security-core:3.2.0.RELEASE'
compile 'org.springframework.security:spring-security-web:3.2.0.RELEASE'
compile 'org.springframework.security:spring-security-config:3.2.0.RELEASE'
compile 'org.springframework.security:spring-security-taglibs:3.2.0.RELEASE'

My spring-security.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- Настройка хранилища безопасности -->
            <password-encoder ref="bCryptPasswordEncoder">
            <jdbc-user-service id="jdbcUserService" data-source-ref="dataSource"
                               users-by-username-query="select login, password, is_enabled from users where login = ?"
                               authorities-by-username-query="select u.login, p.`name` 
                    from user_group_ref ug, permission_group_ref pg, users u, groups g, permissions p
                    where ug.user_id=u.id and ug.group_id=g.id and pg.group_id=g.id and pg.permission_id = p.id and u.login = ?"
                               group-authorities-by-username-query="select g.id, g.`name`, p.`name` 
                    from user_group_ref ug, permission_group_ref pg, users u, groups g, permissions p
                    where ug.user_id=u.id and ug.group_id=g.id and pg.group_id=g.id and pg.permission_id = p.id and u.login = ?"

    <http use-expressions="true">
        <!-- URLs на которых сработает интерцептор безопасности (permitAll - разрешить вход всем (в т.ч. анонимным)-->
        <intercept-url pattern="/*" access='permitAll'/>

        <!-- Настройка входа пользователя -->
        <form-login login-page="/account/signin" authentication-failure-url="/account/login/fail"

        <!-- Настройка выхода пользователя -->
        <logout logout-url="/account/logout" />

        <!-- Включает поддержку функции "Запомнить меня" -->
        <remember-me remember-me-parameter="remember_me" user-service-ref="jdbcUserService"/>

    <!-- Если указать этот файл в authentication-provider выше, то юзеры будут храниться в этом файле -->
    <!--    <user-service id="userService"> -->
    <!--        <user name="alexssource" authorities="ROLE_USER" password="123" /> -->
    <!--    </user-service> -->

    <!-- Хеширование паролей -->
        При создании юзера используется так:
        -> PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        -> String encodedPassword = passwordEncoder.encode(password);
    <beans:bean id='bCryptPasswordEncoder' class='org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder'/>

Before, I used the Apache Tiles and for it all works well. I don't understand why Spring Secury don't work with Thymeleaf. Please, help!

  • Is thymeleaf working in general? Do you have other pages that don't have security and are working correctly?
    – geoand
    Commented Apr 28, 2014 at 18:22
  • Yes, my signin page (which has thymleaf tag) works correct Commented Apr 28, 2014 at 19:17
  • And also this index.xhtml page contains a thymleaf tags that works correctly Commented Apr 28, 2014 at 19:30
  • I can't see anything obviously wrong with it...
    – geoand
    Commented Apr 28, 2014 at 19:34
  • 1
    You should probably add that as an answer so future readers will see it without needing to read the comments
    – geoand
    Commented Apr 28, 2014 at 19:55

2 Answers 2


I solved the problem. I just didn't add the SpringSecurityDialect to my config. Now my config looks as

<bean id="templateEngine" class="org.thymeleaf.spring4.SpringTemplateEngine"> 
  <property name="templateResolver" ref="thymeleafResolver" /> 
  <property name="additionalDialects"> 
      <bean class="nz.net.ultraq.thymeleaf.LayoutDialect" /> 
      <bean class="org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect"/> 

and works fine!

public SpringTemplateEngine templateEngine(){

    SpringTemplateEngine templateEngine = new SpringTemplateEngine();

    // add dialect spring security
    templateEngine.addDialect(new SpringSecurityDialect());
    return templateEngine;

Not the answer you're looking for? Browse other questions tagged or ask your own question.