SEC-1494: Added system property "spring.security.disableUISecurity" which will prevent authorize tags from hiding content. By default, the property will also cause the area that would normally be hidden to be decorated with a <span class="securityHiddenUI"> tag, thus allowing the area to be rendered with some distinguishing css (e.g. a different background colour).

taglibs/src/main/java/org/springframework/security/taglibs/TagLibConfig.java

@@ -0,0 +1,62 @@
+package org.springframework.security.taglibs;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.servlet.jsp.tagext.Tag;
+
+/**
+ * internal cconfiguration class for taglibs.
+ *
+ * Not for public use.
+ *
+ * @author Luke Taylor
+ */
+public final class TagLibConfig {
+    static Log logger = LogFactory.getLog("spring-security-taglibs");
+
+    static final boolean DISABLE_UI_SECURITY;
+    static final String SECURED_UI_PREFIX;
+    static final String SECURED_UI_SUFFIX;
+
+    static {
+        String db = System.getProperty("spring.security.disableUISecurity");
+        String prefix = System.getProperty("spring.security.securedUIPrefix");
+        String suffix = System.getProperty("spring.security.securedUISuffix");
+
+        SECURED_UI_PREFIX = prefix == null ? "<span class=\"securityHiddenUI\">" : prefix;
+        SECURED_UI_SUFFIX = suffix == null ? "</span>" : suffix;
+
+        DISABLE_UI_SECURITY = "true".equals(db);
+
+        if (DISABLE_UI_SECURITY) {
+            logger.warn("***** UI security is disabled. All unauthorized content will be displayed *****");
+        }
+    }
+
+    /**
+     * Returns EVAL_BODY_INCLUDE if the authorized flag is true or UI security has been disabled.
+     * Otherwise returns SKIP_BODY.
+     *
+     * @param authorized whether the user is authorized to see the content or not
+     */
+    public static int evalOrSkip(boolean authorized) {
+        if (authorized || DISABLE_UI_SECURITY) {
+            return Tag.EVAL_BODY_INCLUDE;
+        }
+
+        return Tag.SKIP_BODY;
+    }
+
+    public static boolean isUiSecurityDisabled() {
+        return DISABLE_UI_SECURITY;
+    }
+
+    public static String getSecuredUiPrefix() {
+        return SECURED_UI_PREFIX;
+    }
+
+    public static String getSecuredUiSuffix() {
+        return SECURED_UI_SUFFIX;
+    }
+}

taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java

@@ -58,7 +58,6 @@ import org.springframework.web.context.support.WebApplicationContextUtils;
  * @since 3.1.0
  */
 public abstract class AbstractAuthorizeTag {
-
     private String access;
     private String url;
     private String method;
@@ -98,7 +97,7 @@ public abstract class AbstractAuthorizeTag {
      * @throws IOException
      */
     public boolean authorize() throws IOException {
-        boolean isAuthorized = false;
+        boolean isAuthorized;
 
         if (StringUtils.hasText(getAccess())) {
             isAuthorized = authorizeUsingAccessExpression();

taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java

@@ -43,6 +43,7 @@ import org.springframework.security.acls.model.Permission;
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.acls.model.SidRetrievalStrategy;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 import org.springframework.web.util.ExpressionEvaluationUtils;
 
@@ -146,14 +147,14 @@ public class AccessControlListTag extends TagSupport {
         if (var != null) {
             pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);
         }
-        return SKIP_BODY;
+        return TagLibConfig.evalOrSkip(false);
     }
 
     private int evalBody() {
         if (var != null) {
             pageContext.setAttribute(var, Boolean.TRUE, PageContext.PAGE_SCOPE);
         }
-        return EVAL_BODY_INCLUDE;
+        return TagLibConfig.evalOrSkip(true);
     }
 
 

taglibs/src/main/java/org/springframework/security/taglibs/authz/JspAuthorizeTag.java

@@ -9,6 +9,7 @@ import javax.servlet.jsp.JspException;
 import javax.servlet.jsp.PageContext;
 import javax.servlet.jsp.tagext.Tag;
 
+import org.springframework.security.taglibs.TagLibConfig;
 import org.springframework.web.util.ExpressionEvaluationUtils;
 
 /**
@@ -28,6 +29,8 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
 
     private String var;
 
+    private boolean authorized;
+
     /**
      * Invokes the base class {@link AbstractAuthorizeTag#authorize()} method to
      * decide if the body of the tag should be skipped or not.
@@ -40,13 +43,17 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
             setIfAllGranted(ExpressionEvaluationUtils.evaluateString("ifAllGranted", getIfAllGranted(), pageContext));
             setIfAnyGranted(ExpressionEvaluationUtils.evaluateString("ifAnyGranted", getIfAnyGranted(), pageContext));
 
-            int result = super.authorize() ? Tag.EVAL_BODY_INCLUDE : Tag.SKIP_BODY;
+            authorized = super.authorize();
+
+            if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
+                pageContext.getOut().write(TagLibConfig.getSecuredUiPrefix());
+            }
 
             if (var != null) {
-                pageContext.setAttribute(var, Boolean.valueOf(result == EVAL_BODY_INCLUDE), PageContext.PAGE_SCOPE);
+                pageContext.setAttribute(var, authorized, PageContext.PAGE_SCOPE);
             }
 
-            return result;
+            return TagLibConfig.evalOrSkip(authorized);
 
         } catch (IOException e) {
             throw new JspException(e);
@@ -59,7 +66,15 @@ public class JspAuthorizeTag extends AbstractAuthorizeTag implements Tag {
      * @return EVAL_PAGE
      * @see Tag#doEndTag()
      */
-    public int doEndTag() {
+    public int doEndTag() throws JspException {
+        try {
+            if (!authorized && TagLibConfig.isUiSecurityDisabled()) {
+                pageContext.getOut().write(TagLibConfig.getSecuredUiSuffix());
+            }
+        } catch (IOException e) {
+            throw new JspException(e);
+        }
+
         return EVAL_PAGE;
     }