User Roles and ThymeLeaf Extras

Published on

We learned how to use spring security to build a basic login form in the last lesson. Today we'll be looking at adding user roles and some nice features of the Thymeleaf library to show and hide content based on these roles.


As with all Spring boot applications, some starter libraries make it easy to add jars to your classpath.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">


	<description>An introduction to spring security</description>




		<!-- TEST -->



First, we'll be adding another user to our application's WebSecurityConfig.configureGlobal method. This time giving them a new role admin. The existing user has been granted the user role .roles("USER") :

package dev.mwhyte.spring.sec.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
                .antMatchers( "/css/**", "/images/**", "/favicon.ico").permitAll()
                .and().csrf().disable(); // we'll enable this in a later blog post

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

This now gives us two available users to log in with. Each user is configured with a different role that we can now use to hide and show different content.

The remainder of this class remains unchanged, and the key points can be summarised as:

  • authorizeRequests() — Allows us to configure which resources on our webserver to secure. You can see from our example code we have allowed un-secured access to our CSS, images directory and favicon. All other resources are secured and can only be accessed by an authenticated user.

  • formLogin() Tells spring security that we wish to use a login form. We provide the URL we want to redirect to if the authentication is successful, and finally, we permit access to the login and logout endpoints.

  • We are disabling cross-site request forgery protection, which is enabled by default. We will cover this later in the series.

Thymeleaf: Authorize

Next, we'll be using a Thymeleaf attribute sec:authorize to check user roles before rendering the divs in our index.html page.

To do this, we first need to add the thymeleaf XML namespace to our index.html.

<html xmlns="http://www.w3.org/1999/xhtml"

Then we can use the sec:authorize attribute to check a users roles (what they are authorised to see):

<div sec:authorize="hasRole('ADMIN')">This content is only shown to administrators.§§</div>

<div sec:authorize="hasRole('USER')">This content is only shown to users.</div>

As you can see, the attribute sec:authorize is added to each div, and we use the spring security dialect to check users spring security roles. Content will only be rendered if the logged-in user has that role. i.e. hasRole returns true.

It is important to note that content is not just hidden from view but will not be rendered when our application server returns the page to the browser.

Thymeleaf: Authentication

Another useful Thymeleaf feature is the sec:authentication attribute. This attribute can return various security-related metadata. In the example below, we can retrieve the user's username and roles and display these in our HTML.

  User: <span sec:authentication="name">NOT FOUND</span> Spring Roles:
  <span sec:authentication="principal.authorities">NOT FOUND</span>

For more helpful attribute's see the Thymeleaf documentation


To run the demo, check out the source code and open the Application class and right-click run.

To start the example, port 8080 will need to be available on your machine. If it is not, you can change this default in the application.properties file using:


Set this to whatever value you wish.

Alternatively, you can watch this short video:

Unit Testing

We've added a few more unit tests to cover this new functionality:

package dev.mwhyte.spring.sec;

import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.FormLoginRequestBuilder;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MockMvc;

import static org.hamcrest.core.StringContains.containsString;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;

public class ApplicationTests {
    private MockMvc mockMvc;

    public void loginWithValidUserThenAuthenticated() throws Exception {
        FormLoginRequestBuilder login = formLogin()


    public void loginWithInvalidUserThenUnauthenticated() throws Exception {
        FormLoginRequestBuilder login = formLogin()


    public void accessUnsecuredResourceThenOk() throws Exception {

    public void accessSecuredResourceUnauthenticatedThenRedirectsToLogin() throws Exception {

    public void accessSecuredResourceAuthenticatedThenOk() throws Exception {

    @WithMockUser(roles = "USER")
    public void loginWithRoleUserThenExpectUserSpecificContent() throws Exception {
                .andExpect(content().string(containsString("This content is only shown to users.")))
                .andExpect(content().string(doesNotContainString("This content is only shown to administrators.")));

    @WithMockUser(roles = "ADMIN")
    public void loginWithRoleAdminThenExpectAdminSpecificContent() throws Exception {
                .andExpect(content().string(containsString("This content is only shown to administrators.")))
                .andExpect(content().string(doesNotContainString("This content is only shown to users.")));

    private Matcher<String> doesNotContainString(String s) {
        return CoreMatchers.not(containsString(s));


We've created a small utility method doesNotContainString. Using this and Hamcrests containsString method, we can check that content is rendered (or not) based on a particular user role.

Crucially, the spring test annotation @WithMockUser provides the ability to mock certain users—an authenticated user with user or admin roles in our scenario.

Here is a quick recap of the Spring test support we are using:

  • @ExtendWith(SpringExtension.class) - Tells JUnit5 to run unit tests with Spring's testing support
  • @SpringBootTest — Run as spring boot app. i.e. load application.properties and spring beans
  • @AutoConfigureMockMvc — Creates a Test helper class called MockMvc. We can imitate a front-end client making requests to the server from this.
  • @WithMockUser — Provides the ability to mock certain users—an authenticated user in our case.
  • FormLoginRequestBuilder — A utility class that allows us to create a form-based login request.

Next up, we will continue to cover spring security's user roles, but this time we will be redirecting admins to their own admin page (admin.html) and securing this page so that only admin users can access it.

Spring Security — Redirect Based on User Roles


GitHub - mwhyte-dev/spring-security Spring Security docs Thymeleaf + Spring Security integration basics