Spring Security – User Roles and ThymeLeaf Extras


In this series, I hope to show you some techniques for using spring security and the broader spring ecosystem to build and develop secure application web servers.

In the last lesson, we learnt how to use spring security to build a basic login form.

Today, we’ll be looking at adding user roles and some nice feature’s of the Thymeleaf library to show and hide content based on these roles.

Sample Code

The code for this lesson is available on GitHub

Some files are already set up for you from the previous lesson: Spring Security – basic login form. Please start here or check out the complete code from the link above.


As with all Spring boot application’s, there are a number of ‘Starter’ libraries that make it easy to add jars to your classpath. In addition, these can auto-configure various spring beans and behaviours that we can make use of. Building upon the previous lesson we will be adding:

  • thymeleaf-extras-springsecurity4 – this has a number of additional features over the basic thymeleaf jar.


To begin this lesson we’ll be adding another user to our application’s WebSecurityConfig but this time giving them a new role ‘admin’:



This now gives us two available user’s to log in with. Each is configured with a different role that we can now use to hide and show various content.

Thymeleaf: Authorize

Next, we’ll be using a Thymeleaf attribute sec:authorize to check a users roles before rendering div’s our index.html page.

To do this, go to the index.html page and add the following HTML inside the body tags:

As you can see the sec:authorize attribute is added to each div, and we use something called the spring security dialect to check users spring security roles. Content will only be rendered if the logged-in user has that role. i.e. ‘hasRole’ returns true.

It is important to note that content is not just hidden but will not be rendered at all when our application server returns the page to the browser.

Thymeleaf: Authentication

Another useful Thymeleaf feature is the ‘sec:authentication’ attribute. This can return various security-related metadata. In the example below, we can retrieve the user’s username and roles and display these in our HTML.


For more useful attribute’s see the Thymeleaf documentation: here


To run the demo, open the Application class and right click run. In order to start the example, the port 8080 will need to be available on your machine. If it is not you can change this default in the application.properties file using:

Set this to whatever value you wish.

Unit Testing

We’ve added a few unit tests to cover this new functionality:



As you can see we’ve created a utility method doesNotContainString. Using this and Hamcrests containsString method, we can check that content is rendered (or not) based on a particular user role.


Next up, we will be continuing to cover spring security’s user roles, but this time we will be redirecting admins to there own admin page (admin.html) and securing this page so that only admin users can access it.