From 347a2a91a95dc0246c1156f78e87db3636ec4f70 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 30 Jan 2011 14:04:19 +0000 Subject: [PATCH] SEC-1494: Document the use of system properties for disabling authorize tag functionality. --- docs/manual/src/docbook/taglibs.xml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/manual/src/docbook/taglibs.xml b/docs/manual/src/docbook/taglibs.xml index d629b96c87..3009467eb6 100644 --- a/docs/manual/src/docbook/taglibs.xml +++ b/docs/manual/src/docbook/taglibs.xml @@ -54,6 +54,24 @@ This content will only be visible to users who are authorized to send requests t stored in a page context scope variable by setting the var attribute to the variable name, avoiding the need for duplicating and re-evaluating the condition at other points in the page. +
+ Disabling Tag Authorization for Testing + Hiding a link in a page for unauthorized users doesn't prevent them from accessing + the URL. They could just type it into their browser directly, for example. As part + of your testing process, you may want to reveal the hidden areas in order to check + that links really are secured at the back end. If you set the system property + spring.security.disableUISecurity to true, + the authorize tag will still run but will not hide its contents. + By default it will also surround the content with <span + class="securityHiddenUI">...</span> tags. This allows you to + display hidden content with a particular CSS style such as a + different background colour. Try running the tutorial sample + application with this property enabled, for example. + You can also set the properties spring.security.securedUIPrefix + and spring.security.securedUISuffix if you want to change + surrounding text from the default span tags (or use empty strings + to remove it completely). +
The <literal>authentication</literal>Tag