Concatenate string and variable in sec:authorize thymeleaf tag

Question

I am trying use the thymeleaf tag sec:authorize like that:

sec:authorize="hasPermission(#user, 'listagem_${item.simpleName}')"

but when I deploy and run the project, the string listagem_${item.simpleName} is not processed and the content is not displayed because this.

Anyone know the right way to be able to do this concatenation inside the sec:authorize tag?

UPDATE

after try this:

<span th:text="|hasPermission(#user, 'listagem_${item.simpleName}')|"></span>

and see I get the right result, I try transport the expression: |hasPermission(#user, 'listagem_${item.simpleName}')| to the sec:authorize tag like this:

<li th:each="item : ${menu}" sec:authorize="|hasPermission(#user, 'listagem_${item.simpleName}')|">

but I get this error:

    Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.thymeleaf.exceptions.TemplateProcessingException: An error happened trying to parse Spring Security access expression "|hasPermission(#user, 'listagem_${item.simpleName}')|" (private/home:40)] with root cause

org.springframework.expression.spel.SpelParseException: EL1069E:(pos 0): missing expected character '|'
        at org.springframework.expression.spel.standard.Tokenizer.process(Tokenizer.java:194)
        at org.springframework.expression.spel.standard.Tokenizer.<init>(Tokenizer.java:84)
        at org.springframework.expression.spel.standard.InternalSpelExpressionParser.doParseExpression(InternalSpelExpressionParser.java:121)
        at org.springframework.expression.spel.standard.SpelExpressionParser.doParseExpression(SpelExpressionParser.java:60)
        at org.springframework.expression.spel.standard.SpelExpressionParser.doParseExpression(SpelExpressionParser.java:32)
        at org.springframework.expression.common.TemplateAwareExpressionParser.parseExpression(TemplateAwareExpressionParser.java:76)
        at org.springframework.expression.common.TemplateAwareExpressionParser.parseExpression(TemplateAwareExpressionParser.java:62)
        at org.thymeleaf.extras.springsecurity3.auth.AuthUtils.authorizeUsingAccessExpression(AuthUtils.java:186)
        at org.thymeleaf.extras.springsecurity3.dialect.processor.AuthorizeAttrProcessor.isVisible(AuthorizeAttrProcessor.java:100)
        at org.thymeleaf.processor.attr.AbstractConditionalVisibilityAttrProcessor.processAttribute(AbstractConditionalVisibilityAttrProcessor.java:58)
        at org.thymeleaf.processor.attr.AbstractAttrProcessor.doProcess(AbstractAttrProcessor.java:87)
        at org.thymeleaf.processor.AbstractProcessor.process(AbstractProcessor.java:212)
        at org.thymeleaf.dom.Node.applyNextProcessor(Node.java:1016)
        at org.thymeleaf.dom.Node.processNode(Node.java:971)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.NestableNode.computeNextChild(NestableNode.java:672)
        at org.thymeleaf.dom.NestableNode.doAdditionalProcess(NestableNode.java:655)
        at org.thymeleaf.dom.Node.processNode(Node.java:990)
        at org.thymeleaf.dom.Document.process(Document.java:93)
        at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1155)
        at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1060)
        at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1011)
        at org.thymeleaf.spring4.view.ThymeleafView.renderFragment(ThymeleafView.java:335)
        at org.thymeleaf.spring4.view.ThymeleafView.render(ThymeleafView.java:190)
        at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1228)
        at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1011)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:955)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:877)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:146)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
        at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

what I am missing here?

is listagem_ a separate variable you are passing as well? if it is then proper concat would be ${'listagem_'}+${item.simpleName} — Aeseir, Jan 08 '15 at 00:09
@Aeseir this don't work. I get the error: `org.springframework.expression.spel.SpelParseException: EL1043E:(pos 22): Unexpected token. Expected 'rparen())' but was 'lcurly({)'`. — Kleber Mota, Jan 09 '15 at 12:04
so is listagem_ a variable you passing in, as i haven't seen it before in code — Aeseir, Jan 09 '15 at 13:06
@Aeseir no, `listagem_` is a string literal, `item.simpleName` is a string variable. — Kleber Mota, Jan 09 '15 at 13:27
Gotcha, try this |hasPermission(#user, 'listagem_'+${item.simpleName})|, technically that is sound and should work. — Aeseir, Jan 09 '15 at 13:41
@Aeseir copy and past this and get the error: `org.springframework.expression.spel.SpelParseException: EL1069E:(pos 0): missing expected character '|'`. the code: `

score 2 · Answer 1 · answered Dec 18 '15 at 18:15

In my case I had the user role name inside a variable. I finally managed to make it work with

<div th:if="${#authorization.expression('hasRole('''+objectDTO.roleName+''')')}"></div>

The idea came from here (note the double single quotes to escape the name) https://github.com/thymeleaf/thymeleaf-extras-springsecurity#using-the-expression-utility-objects

score 1 · Answer 2 · edited May 23 '17 at 12:31

I have been having similar issues with string concatenation and the sec:authorize attribute in thymeleaf, although not exactly the same circumstances it may be useful to others who come across this problem.

I want to restrict the visibility of certain elements based on user (principal) permissions. In this example I have a page showing customer details which can be accessed by other users but only "account managers" can see the email address. When I hard code the permission string everything works fine:

<th:block sec:authorize="hasAuthority('VIEW_USER_EMAIL')"> ... </th:block>

I'd rather not scatter random strings over my templates though as they are likely to be refactored at some point and it is error prone. I have a class containing a load of public static final String fields called Permission. I would have liked to use an enum but it's not possible to reference from an annotation such as @PreAuthorize or @Secured which I used elsewhere in the application see this question for more details.

The solution is to reference my Permission class from within the expression in the template. This can be achieved using the SpEL type operator T(). I had quite a bit of trouble getting the syntax right through trial an error until finally this worked:

<th:block sec:authorize="hasAuthority(T(com.example.app.Permission).VIEW_USER_EMAIL)"> ... </th:block>

This now means an exception will be thrown if the Permission class or VIEW_USER_EMAIL field doesn't exist or if there was a typo. This is a vast improvement over failing silently and probably denying access.

Below are a few of my previous attempts before I got it working:

sec:authorize="hasAuthority('${T(com.example.app.Permission).VIEW_USER_EMAIL}')" sec:authorize="hasAuthority(${T(com.example.app.Permission).VIEW_USER_EMAIL})" sec:authorize="${hasAuthority('T(com.example.app.Permission).VIEW_USER_EMAIL')}"

It looks like the thymeleaf Spring Security Dialect strips of a leading ${ and trailing } from any expression you pass in and attempts to evaluate the whole expression which is why any form of concatenation probably doesn't work.

For reference, here is my Permission class:

public final class Permission { public static final String VIEW_USER_EMAIL = "VIEW_USER_EMAIL"; }

I also came across another case where I needed to use a variable within an expression and had trouble escaping it, the solution was to use triple single quotes: `th:if="${#authorization.expression('hasAuthority(''' + someObject.permissionString + ''')')}"` — Robert Hunt, Feb 21 '17 at 11:56

score 0 · Answer 3 · answered Apr 21 '23 at 18:51

I`m adding custom security expression with signature hasProjectRole(int projectId, String role), and then use in thymeleaf next trick:

<tr th:each="projectId : ${projects.keySet()}" th:object="${projects.get(projectId)}">
   <th:block th:if="${#authorization.expression(#strings.concat('hasProjectRole(', projectId, ',''ROLE_ADMIN'')'))}">

     ... 

   </th:block>
</tr>

Concatenate string and variable in sec:authorize thymeleaf tag

3 Answers3