Source code

001package org.apache.turbine.modules.actions.sessionvalidator;
002
003import org.apache.turbine.TurbineConstants;
004import org.apache.turbine.annotation.TurbineConfiguration;
005import org.apache.turbine.annotation.TurbineService;
006
007/*
008 * Licensed to the Apache Software Foundation (ASF) under one
009 * or more contributor license agreements.  See the NOTICE file
010 * distributed with this work for additional information
011 * regarding copyright ownership.  The ASF licenses this file
012 * to you under the Apache License, Version 2.0 (the
013 * "License"); you may not use this file except in compliance
014 * with the License.  You may obtain a copy of the License at
015 *
016 *   http://www.apache.org/licenses/LICENSE-2.0
017 *
018 * Unless required by applicable law or agreed to in writing,
019 * software distributed under the License is distributed on an
020 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
021 * KIND, either express or implied.  See the License for the
022 * specific language governing permissions and limitations
023 * under the License.
024 */
025
026import org.apache.turbine.modules.Action;
027import org.apache.turbine.services.security.SecurityService;
028import org.apache.turbine.util.RunData;
029
030/**
031 * The SessionValidator attempts to retrieve the User object from the
032 * Servlet API session that is associated with the request.  If the
033 * data cannot be retrieved, it is handled here.  If the user has not
034 * been marked as being logged into the system, the user is rejected
035 * and the screen is set to the screen.homepage value in
036 * TurbineResources.properties.
037 *
038 * <p>
039 * Other systems generally have a database table which stores this
040 * information, but we take advantage of the Servlet API here to save
041 * a hit to the database for each and every connection that a user
042 * makes.
043 * </p>
044 *
045 * <p>
046 * This action is special in that it should only be executed by the
047 * Turbine servlet.
048 * </p>
049 *
050 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
051 * @version $Id: SessionValidator.java 1854786 2019-03-04 18:29:18Z tv $
052 */
053public abstract class SessionValidator implements Action
054{
055
056    @TurbineService
057    protected SecurityService security;
058
059    @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE )
060    protected String templateHomepage;
061
062    @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
063    protected String screenHomepage;
064
065    @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE )
066    protected String templateInvalidState;
067
068    @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
069    protected String screenInvalidState;
070
071    // the session_access_counter can be placed as a hidden field in
072    // forms.  This can be used to prevent a user from using the
073    // browsers back button and submitting stale data.
074    /**
075     *
076     * @param data RunData object
077     * @param screenOnly {@link DefaultSessionValidator}
078     */
079    protected void handleFormCounterToken( RunData data, boolean screenOnly )
080    {
081        if (data.getParameters().containsKey("_session_access_counter"))
082        {
083            if (screenOnly) {
084                // See comments in screens.error.InvalidState.
085                if (data.getParameters().getInt("_session_access_counter")
086                        < (((Integer) data.getUser().getTemp(
087                        "_session_access_counter")).intValue() - 1))
088                {
089                    data.getUser().setTemp("prev_screen", data.getScreen());
090                    data.getUser().setTemp("prev_parameters", data.getParameters());
091                    data.setScreen(screenInvalidState);
092                    data.setAction("");
093                }
094            } else {
095                if (!security.isAnonymousUser(data.getUser()))
096                {
097                    // See comments in screens.error.InvalidState.
098                    if (data.getParameters().getInt("_session_access_counter")
099                            < (((Integer) data.getUser().getTemp(
100                            "_session_access_counter")).intValue() - 1))
101                    {
102                        if (data.getTemplateInfo().getScreenTemplate() != null)
103                        {
104                            data.getUser().setTemp("prev_template",
105                                    data.getTemplateInfo().getScreenTemplate()
106                                    .replace('/', ','));
107                            data.getTemplateInfo().setScreenTemplate(templateInvalidState);
108                        }
109                        else
110                        {
111                            data.getUser().setTemp("prev_screen",
112                                                   data.getScreen().replace('/', ','));
113                            data.setScreen(screenInvalidState);
114                        }
115                        data.getUser().setTemp("prev_parameters", data.getParameters());
116                        data.setAction("");
117                    }
118                }
119            }
120        }
121
122    }
123    // empty
124}