SEC-1494: Added system property "spring.security.disableUISecurity" which will prevent authorize tags from hiding content. By default, the property will also cause the area that would normally be hidden to be decorated with a <span class="securityHiddenUI"> tag, thus allowing the area to be rendered with some distinguishing css (e.g. a different background colour).

15 years ago · 00200cecbc
4 changed files with 85 additions and 8 deletions
--- a/taglibs/src/main/java/org/springframework/security/taglibs/TagLibConfig.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/TagLibConfig.java
@ -0,0 +1,62 @@
				@@ -0,0 +1,62 @@
+package org.springframework.security.taglibs;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.servlet.jsp.tagext.Tag;
+
+/**
+ * internal cconfiguration class for taglibs.
+ *
+ * Not for public use.
+ *
+ * @author Luke Taylor
+ */
+public final class TagLibConfig {
+    static Log logger = LogFactory.getLog("spring-security-taglibs");
+
+    static final boolean DISABLE_UI_SECURITY;
+    static final String SECURED_UI_PREFIX;
+    static final String SECURED_UI_SUFFIX;
+
+    static {
+        String db = System.getProperty("spring.security.disableUISecurity");
+        String prefix = System.getProperty("spring.security.securedUIPrefix");
+        String suffix = System.getProperty("spring.security.securedUISuffix");
+
+        SECURED_UI_PREFIX = prefix == null ? "<span class=\"securityHiddenUI\">" : prefix;
+        SECURED_UI_SUFFIX = suffix == null ? "</span>" : suffix;
+
+        DISABLE_UI_SECURITY = "true".equals(db);
+
+        if (DISABLE_UI_SECURITY) {
+            logger.warn("***** UI security is disabled. All unauthorized content will be displayed *****");
+        }
+    }
+
+    /**
+     * Returns EVAL_BODY_INCLUDE if the authorized flag is true or UI security has been disabled.
+     * Otherwise returns SKIP_BODY.
+     *
+     * @param authorized whether the user is authorized to see the content or not
+     */
+    public static int evalOrSkip(boolean authorized) {
+        if (authorized || DISABLE_UI_SECURITY) {
+            return Tag.EVAL_BODY_INCLUDE;
+        }
+
+        return Tag.SKIP_BODY;
+    }
+
+    public static boolean isUiSecurityDisabled() {
+        return DISABLE_UI_SECURITY;
+    }
+
+    public static String getSecuredUiPrefix() {
+        return SECURED_UI_PREFIX;
+    }
+
+    public static String getSecuredUiSuffix() {
+        return SECURED_UI_SUFFIX;
+    }
+}
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
@ -58,7 +58,6 @@ import org.springframework.web.context.support.WebApplicationContextUtils;
				@@ -58,7 +58,6 @@ import org.springframework.web.context.support.WebApplicationContextUtils;
 * @since 3.1.0
 */
 public abstract class AbstractAuthorizeTag {
-
    private String access;
    private String url;
    private String method;
@ -98,7 +97,7 @@ public abstract class AbstractAuthorizeTag {
				@@ -98,7 +97,7 @@ public abstract class AbstractAuthorizeTag {
     * @throws IOException
     */
    public boolean authorize() throws IOException {
-        boolean isAuthorized = false;
+        boolean isAuthorized;

        if (StringUtils.hasText(getAccess())) {
            isAuthorized = authorizeUsingAccessExpression();
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
@ -43,6 +43,7 @@ import org.springframework.security.acls.model.Permission;
				@@ -43,6 +43,7 @@ import org.springframework.security.acls.model.Permission;
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.acls.model.SidRetrievalStrategy;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 import org.springframework.web.util.ExpressionEvaluationUtils;

@ -146,14 +147,14 @@ public class AccessControlListTag extends TagSupport {
				@@ -146,14 +147,14 @@ public class AccessControlListTag extends TagSupport {
        if (var != null) {
            pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);
        }
-        return SKIP_BODY;
+        return TagLibConfig.evalOrSkip(false);
    }

    private int evalBody() {
        if (var != null) {
            pageContext.setAttribute(var, Boolean.TRUE, PageContext.PAGE_SCOPE);
        }
-        return EVAL_BODY_INCLUDE;
+        return TagLibConfig.evalOrSkip(true);
    }


--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java
@ -9,6 +9,7 @@ import javax.servlet.jsp.JspException;
				@@ -9,6 +9,7 @@ import javax.servlet.jsp.JspException;
 import javax.servlet.jsp.PageContext;
 import javax.servlet.jsp.tagext.Tag;

+import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.web.util.ExpressionEvaluationUtils;

 /**
@ -28,6 +29,8 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
				@@ -28,6 +29,8 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {

    private String var;

+    private boolean authorized;
+
    /**
     * Invokes the base class {@link AbstractAuthorizeTag#authorize()} method to
     * decide if the body of the tag should be skipped or not.
@ -40,13 +43,17 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
				@@ -40,13 +43,17 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
            setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext));
            setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext));

-            int result = super.authorize() ? Tag.EVAL_BODY_INCLUDE : Tag.SKIP_BODY;
+            authorized = super.authorize();
+
+            if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
+                pageContext.getOut().write(TagLibConfig.getSecuredUiPrefix());
+            }

            if (var != null) {
-                pageContext.setAttribute(var, Boolean.valueOf(result == EVAL_BODY_INCLUDE), PageContext.PAGE_SCOPE);
+                pageContext.setAttribute(var, authorized, PageContext.PAGE_SCOPE);
            }

-            return result;
+            return TagLibConfig.evalOrSkip(authorized);

        } catch (IOException e) {
            throw new JspException(e);
@ -59,7 +66,15 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
				@@ -59,7 +66,15 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
     * @return EVAL_PAGE
     * @see Tag#doEndTag()
     */
-    public int doEndTag() {
+    public int doEndTag() throws JspException {
+        try {
+            if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
+                pageContext.getOut().write(TagLibConfig.getSecuredUiSuffix());
+            }
+        } catch (IOException e) {
+            throw new JspException(e);
+        }
+
        return EVAL_PAGE;
    }