1 package org.apache.turbine.modules.screens;
2
3 /*
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
19 * under the License.
20 */
21
22 import java.lang.reflect.Method;
23
24 import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList;
25 import org.apache.turbine.annotation.AnnotationProcessor;
26 import org.apache.turbine.annotation.AnnotationProcessor.ConditionType;
27 import org.apache.turbine.annotation.TurbineRequiredRole;
28 import org.apache.turbine.pipeline.PipelineData;
29 import org.apache.turbine.util.RunData;
30
31 public class PlainJSONSecureAnnotatedScreen extends PlainJSONScreen
32 {
33
34 /**
35 * This method overrides the method in JSONScreen to perform a security
36 * check prior to producing the output.
37 *
38 * @param pipelineData Turbine information.
39 * @throws Exception a generic exception.
40 */
41 @Override
42 public void doOutput(PipelineData pipelineData) throws Exception
43 {
44 if (isAuthorized(pipelineData))
45 {
46 super.doOutput(pipelineData);
47 }
48 }
49
50 /**
51 * Use this method to perform the necessary security check with Turbine annotations {@link TurbineRequiredRole} in
52 * a newly overridden {@link #doOutput(PipelineData)} method.
53 *
54 * @param pipelineData Turbine information.
55 * @return <code>true</code> if the user is authorized to access the screen, by default it is required ACL is populated.
56 * If {@link TurbineRequiredRole} is not set, it is allowed by default
57 * @throws Exception A generic exception.
58 */
59 protected boolean isAuthorized(PipelineData pipelineData) throws Exception {
60 RunData data = pipelineData.getRunData();
61 Method[] methods = getClass().getMethods();
62 for (Method m : methods)
63 {
64 if (m.getName().equals( "doOutput" ))
65 {
66 if (data.getACL() == null)
67 {
68 return false;
69 }
70 return AnnotationProcessor.isAuthorized( m, (TurbineAccessControlList<?>)data.getACL(), ConditionType.ANY );
71 }
72 }
73 return false;
74 }
75 }