How to use `thymeleaf-extras-springsecurity6` in a non-web application?

[yvasyliev]

So I'm building a non-web application with Spring Security feature enabled. And would like to use xmlns:sec namespace in my templates.

Currently, any sec: attribute evaluation will fail because Thymeleaf expects org.springframework.security.core.Authentication to be present within either WebMvcContext or WebFluxContext.

I found the place where it happens:

thymeleaf-extras-springsecurity/thymeleaf-extras-springsecurity6/src/main/java/org/thymeleaf/extras/springsecurity6/dialect/processor/AuthorizeAttrProcessor.java

Lines 56 to 75 in 51ca399

	@Override
	protected boolean isVisible(
	final ITemplateContext context, final IProcessableElementTag tag,
	final AttributeName attributeName, final String attributeValue) {
	final String attrValue = (attributeValue == null? null : attributeValue.trim());
	if (attrValue == null || attrValue.length() == 0) {
	return false;
	}
	final Authentication authentication = AuthUtils.getAuthenticationObject(context);
	if (authentication == null) {
	return false;
	}
	return AuthUtils.authorizeUsingAccessExpression(context, attrValue, authentication);
	}

thymeleaf-extras-springsecurity/thymeleaf-extras-springsecurity6/src/main/java/org/thymeleaf/extras/springsecurity6/auth/AuthUtils.java

Lines 101 to 102 in 51ca399

	final Authentication authentication =
	SpringSecurityContextUtils.getAuthenticationObject(context);

thymeleaf-extras-springsecurity/thymeleaf-extras-springsecurity6/src/main/java/org/thymeleaf/extras/springsecurity6/util/SpringSecurityContextUtils.java

Lines 125 to 140 in 51ca399

	public static Authentication getAuthenticationObject(final IContext context) {
	if (SpringVersionSpecificUtils.isWebMvcContext(context)) {
	return SpringSecurityWebMvcApplicationContextUtils.getAuthenticationObject();
	}
	if (SpringVersionSpecificUtils.isWebFluxContext(context)) {
	return SpringSecurityWebFluxApplicationContextUtils.getAuthenticationObject(context);
	}
	throw new IllegalStateException(
	"Could not obtain authentication object: Thymeleaf context is neither an implementation of " +
	"IWebContext (for Spring MVC apps) nor ISpringWebFluxContext (for Spring WebFlux apps). " +
	"Thymeleaf's Spring Security support can only be used in web applications.");
	}

SpringSecurityContextUtils.getAuthenticationObject is static, and I cannot override it.

AuthorizeAttrProcessor.isVisible is protected and I could override it, but the AuthorizeAttrProcessor object is fetched from org.thymeleaf.engine.ProcessorExecutionVars#processorIterator which is package-private!

This makes all authorization-related logic non-customizable!