Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1494: Added system property "spring.security.disableUISecurity" which will prevent authorize tags from hiding content. By default, the property will also cause the area that would normally be hidden to be decorated with a <span class="securityHiddenUI"> tag, thus allowing the area to be rendered with some distinguishing css (e.g. a different background colour).

This commit is contained in:
Luke Taylor 2011-01-25 13:13:38 +00:00
parent 1b32babbf9
commit 00200cecbc
4 changed files with 86 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
taglibs/src/main/java/org/springframework/security/taglibs/TagLibConfig.java Normal file
View File

@ -0,0 +1,62 @@
package org.springframework.security.taglibs;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.servlet.jsp.tagext.Tag;
/**
* internal cconfiguration class for taglibs.
*
* Not for public use.
*
* @author Luke Taylor
*/
public final class TagLibConfig {
static Log logger = LogFactory.getLog("spring-security-taglibs");
static final boolean DISABLE_UI_SECURITY;
static final String SECURED_UI_PREFIX;
static final String SECURED_UI_SUFFIX;
static {
String db = System.getProperty("spring.security.disableUISecurity");
String prefix = System.getProperty("spring.security.securedUIPrefix");
String suffix = System.getProperty("spring.security.securedUISuffix");
SECURED_UI_PREFIX = prefix == null ? "<span class=\"securityHiddenUI\">" : prefix;
SECURED_UI_SUFFIX = suffix == null ? "</span>" : suffix;
DISABLE_UI_SECURITY = "true".equals(db);
if (DISABLE_UI_SECURITY) {
logger.warn("***** UI security is disabled. All unauthorized content will be displayed *****");
}
}
/**
* Returns EVAL_BODY_INCLUDE if the authorized flag is true or UI security has been disabled.
* Otherwise returns SKIP_BODY.
*
* @param authorized whether the user is authorized to see the content or not
*/
public static int evalOrSkip(boolean authorized) {
if (authorized || DISABLE_UI_SECURITY) {
return Tag.EVAL_BODY_INCLUDE;
}
return Tag.SKIP_BODY;
}
public static boolean isUiSecurityDisabled() {
return DISABLE_UI_SECURITY;
}
public static String getSecuredUiPrefix() {
return SECURED_UI_PREFIX;
}
public static String getSecuredUiSuffix() {
return SECURED_UI_SUFFIX;
}
}

3
taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
View File

@ -58,7 +58,6 @@ import org.springframework.web.context.support.WebApplicationContextUtils;
* @since 3.1.0
*/
public abstract class AbstractAuthorizeTag {
private String access;
private String url;
private String method;
@ -98,7 +97,7 @@ public abstract class AbstractAuthorizeTag {
* @throws IOException
*/
public boolean authorize() throws IOException {
boolean isAuthorized = false;
boolean isAuthorized;
if (StringUtils.hasText(getAccess())) {
isAuthorized = authorizeUsingAccessExpression();

5
taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
View File

@ -43,6 +43,7 @@ import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.taglibs.TagLibConfig;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.util.ExpressionEvaluationUtils;
@ -146,14 +147,14 @@ public class AccessControlListTag extends TagSupport {
if (var != null) {
pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);
}
return SKIP_BODY;
return TagLibConfig.evalOrSkip(false);
}
private int evalBody() {
if (var != null) {
pageContext.setAttribute(var, Boolean.TRUE, PageContext.PAGE_SCOPE);
}
return EVAL_BODY_INCLUDE;
return TagLibConfig.evalOrSkip(true);
}

25
taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java
View File

@ -9,6 +9,7 @@ import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
import javax.servlet.jsp.tagext.Tag;
import org.springframework.security.taglibs.TagLibConfig;
import org.springframework.web.util.ExpressionEvaluationUtils;
/**
@ -28,6 +29,8 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
private String var;
private boolean authorized;
/**
* Invokes the base class {@link AbstractAuthorizeTag#authorize()} method to
* decide if the body of the tag should be skipped or not.
@ -40,13 +43,17 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext));
setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext));
int result = super.authorize() ? Tag.EVAL_BODY_INCLUDE : Tag.SKIP_BODY;
authorized = super.authorize();
if (var != null) {
pageContext.setAttribute(var, Boolean.valueOf(result == EVAL_BODY_INCLUDE), PageContext.PAGE_SCOPE);
if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
pageContext.getOut().write(TagLibConfig.getSecuredUiPrefix());
}
return result;
if (var != null) {
pageContext.setAttribute(var, authorized, PageContext.PAGE_SCOPE);
}
return TagLibConfig.evalOrSkip(authorized);
} catch (IOException e) {
throw new JspException(e);
@ -59,7 +66,15 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
* @return EVAL_PAGE
* @see Tag#doEndTag()
*/
public int doEndTag() {
public int doEndTag() throws JspException {
try {
if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
pageContext.getOut().write(TagLibConfig.getSecuredUiSuffix());
}
} catch (IOException e) {
throw new JspException(e);
}
return EVAL_PAGE;
}