Use of sec:authorize to load javascript

Question

I'm making a development using Spring MVC and thymeleaf.
I'm trying to use sec:authorize to load javascript. In other words, I only want this script to load when the user is authenticated. Here is code I'm trying to get to work:

<script src="/js/jquery.min.js"
        th:src="@{/js/jquery.min.js}"></script>
        <script src="/js/submit.js"
        th:src="@{/js/submit.js}"></script>
        <script src="/js/url.js"
        th:src="@{/js/url.js}"></script>

        <!-- admin -->
        <script sec:authorize="isAuthenticated()" src="/js/jquery.simplemodal-1.4.4.js"
        th:src="@{/js/jquery.simplemodal-1.4.4.js}"></script>
        <script sec:authorize="isAuthenticated()" src="/js/admin.js"
        th:src="@{/js/admin.js}"></script>

These last 2 resources I'm trying to use sec:authorize to load but they seem to handle every time I load the page. Is this a valid way to use sec:authorize? Id it isn't, is there any way to do this?

Answer 1

isAuthenticated() may be returning ROLE_ANONYMOUS which is a legit role, hence why its returning true and rendering your script.

here is a good explanation why user can be authenticated by anonymous (which in turn breaks your logic) Why is the 'anonymousUser' authenticated in Spring Security?

To circumvent that and specifically advise you want user with specific access there is a need for roles such as ROLE_USER, ROLE_ADMIN.

Hope that helps.