SEC-1494: Document the use of system properties for disabling authorize tag functionality.
This commit is contained in:
Luke Taylor
parent
66e2a5246d
commit
347a2a91a9
|
|
@ -54,6 +54,24 @@ This content will only be visible to users who are authorized to send requests t
|
|||
stored in a page context scope variable by setting the <literal>var</literal> attribute
|
||||
to the variable name, avoiding the need for duplicating and re-evaluating the condition
|
||||
at other points in the page.</para>
|
||||
<section>
|
||||
<title>Disabling Tag Authorization for Testing</title>
|
||||
<para>Hiding a link in a page for unauthorized users doesn't prevent them from accessing
|
||||
the URL. They could just type it into their browser directly, for example. As part
|
||||
of your testing process, you may want to reveal the hidden areas in order to check
|
||||
that links really are secured at the back end. If you set the system property
|
||||
<literal>spring.security.disableUISecurity</literal> to <literal>true</literal>,
|
||||
the <literal>authorize</literal> tag will still run but will not hide its contents.
|
||||
By default it will also surround the content with <literal><span
|
||||
class="securityHiddenUI">...</span></literal> tags. This allows you to
|
||||
display <quote>hidden</quote> content with a particular CSS style such as a
|
||||
different background colour. Try running the <quote>tutorial</quote> sample
|
||||
application with this property enabled, for example.</para>
|
||||
<para>You can also set the properties <literal>spring.security.securedUIPrefix</literal>
|
||||
and <literal>spring.security.securedUISuffix</literal> if you want to change
|
||||
surrounding text from the default <literal>span</literal> tags (or use empty strings
|
||||
to remove it completely).</para>
|
||||
</section>
|
||||
</section>
|
||||
<section>
|
||||
<title>The <literal>authentication</literal>Tag</title>
|
||||
|
|
|
|||
Loading…
Reference in New Issue