OR condition for th:if statement in Thymeleaf

Question

I've tried several variations of the following with no luck:

<th:block th:if="${currentRole} != 'EMPLOYEE' OR 'MANAGER'}">
    <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>

I'm trying to simply show a login button if the value ${currentRole} is neither EMPLOYEE nor MANAGER . The thing is, if I set the if condition to one of either ${currentRole} != 'EMPLOYEE' or ${currentRole} != 'MANAGER' it works perfectly fine. Why doesn't it work when I check for two conditions?

Stack trace:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.thymeleaf.exceptions.TemplateInputException: An error happened during template parsing (template: "class path resource [templates/home.html]")
    org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:976)
    org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:856)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
    org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:841)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

Answer 1

Try the following:

<th:block sec:authorize="!hasAnyRole('EMPLOYEE', 'MANAGER')">
 <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>

Assuming:

<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-4.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

Answer 2

You didn't include the actual error in your stacktrace but I would expect it's something like java.lang.IllegalArgumentException: Invalid boolean value 'MANAGER'

Your expression doesn't make sense if you look at it this way: ${(currentRole != 'EMPLOYEE') OR 'MANAGER'} . There are no shortcuts for comparing a string to two different strings the way you are trying to; you need to write an entire expression. Something like this for example:

<!-- Assuming you are trying to test if the role is not 'EMPLOYEE' or 'MANAGER' -->
<th:block th:if="${currentRole != 'EMPLOYEE' AND currentRole != 'MANAGER'}">
    <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>

Also, you don't need the <th:block /> . You can simplify it to something like this:

<a th:if="${currentRole != 'EMPLOYEE' AND currentRole != 'MANAGER'}" href="/login" th:href="@{/login}" class="btn-login">Log In</a>

Answer 3

I noticed no one actually answered your question. This is because Thymeleaf documentation is not the best. However, if I may, there are syntax errors in your code.

1. Thymleaf is case sensitive thus OR != or. You should either use "or" or ||
2. You closed the expression before you even finished checking.
3. In the case of AND it's "and" or &&

That said, your code:

<th:block th:if="${currentRole} != 'EMPLOYEE' OR 'MANAGER'}">
  <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>

will become:

<th:block th:if="${currentRole != 'EMPLOYEE' && currentRole != 'MANAGER'}">
  <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>

or could be:

<th:block th:if="${currentRole != 'EMPLOYEE' and currentRole != 'MANAGER'}">
  <a href="/login" th:href="@{/login}" class="btn-login">Log In</a>
</th:block>