View Javadoc

1   package org.apache.turbine.modules.actions.sessionvalidator;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   *   http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  import org.apache.commons.configuration.Configuration;
23  import org.apache.commons.lang.StringUtils;
24  import org.apache.commons.logging.Log;
25  import org.apache.commons.logging.LogFactory;
26  import org.apache.turbine.Turbine;
27  import org.apache.turbine.TurbineConstants;
28  import org.apache.turbine.annotation.TurbineConfiguration;
29  import org.apache.turbine.annotation.TurbineService;
30  import org.apache.turbine.om.security.User;
31  import org.apache.turbine.pipeline.PipelineData;
32  import org.apache.turbine.services.security.SecurityService;
33  import org.apache.turbine.util.RunData;
34  
35  /**
36   * The SessionValidator attempts to retrieve the User object from the
37   * Servlet API session that is associated with the request.  If the
38   * data cannot be retrieved, it is handled here.  If the user has not
39   * been marked as being logged into the system, the user is rejected
40   * and the screen is set to the screen.homepage value in
41   * TurbineResources.properties.
42   *
43   * <p>
44   *
45   * Other systems generally have a database table which stores this
46   * information, but we take advantage of the Servlet API here to save
47   * a hit to the database for each and every connection that a user
48   * makes.
49   *
50   * <p>
51   *
52   * This action is special in that it should only be executed by the
53   * Turbine servlet.
54   *
55   * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
56   * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
57   * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
58   * @version $Id: DefaultSessionValidator.java 1695634 2015-08-13 00:35:47Z tv $
59   */
60  public class DefaultSessionValidator
61      extends SessionValidator
62  {
63      /** Logging */
64      private static Log log = LogFactory.getLog(DefaultSessionValidator.class);
65  
66      @TurbineService
67      private SecurityService security;
68  
69      @TurbineConfiguration
70      private Configuration conf;
71  
72      /**
73       * Execute the action.  The default is to populate the PipelineData
74       * object and, if the user is unknown, to force a login screen (as
75       * set in the tr.props).
76       *
77       * @see org.apache.turbine.modules.screens.error.InvalidState
78       * @param pipelineData Turbine PipelineData context information.
79       * @throws Exception The anonymous user could not be obtained
80       *         from the security service
81       */
82      @Override
83      public void doPerform(PipelineData pipelineData)
84              throws Exception
85      {
86          RunData data = getRunData(pipelineData);
87          // Pull user from session.
88          data.populate();
89  
90          // The user may have not logged in, so create a "guest/anonymous" user.
91          if (data.getUser() == null)
92          {
93              log.debug("Fixing up empty User Object!");
94              User anonymousUser = security.getAnonymousUser();
95              data.setUser(anonymousUser);
96              data.save();
97          }
98  
99          // Make sure the User has logged into the system.
100         if (!data.getUser().hasLoggedIn())
101         {
102             // only set the message if nothing else has already set it
103             // (e.g. the LogoutUser action).
104             if (StringUtils.isEmpty(data.getMessage()))
105             {
106                 data.setMessage(conf.getString(TurbineConstants.LOGIN_MESSAGE));
107             }
108 
109             // set the screen to be the login page
110             data.setScreen(conf.getString(TurbineConstants.SCREEN_LOGIN));
111 
112             // We're not doing any actions buddy! (except action.login which
113             // will have been performed already)
114             data.setAction(null);
115         }
116 
117         if (!data.hasScreen())
118         {
119             data.setMessage(conf.getString(
120                     TurbineConstants.LOGIN_MESSAGE_NOSCREEN));
121             data.setScreen(conf.getString(TurbineConstants.SCREEN_HOMEPAGE));
122         }
123 
124         if (data.getParameters().containsKey("_session_access_counter"))
125         {
126             // See comments in screens.error.InvalidState.
127             if (data.getParameters().getInt("_session_access_counter")
128                     < (((Integer) data.getUser().getTemp(
129                     "_session_access_counter")).intValue() - 1))
130             {
131                 data.getUser().setTemp("prev_screen", data.getScreen());
132                 data.getUser().setTemp("prev_parameters", data.getParameters());
133                 data.setScreen(conf.getString(
134                         TurbineConstants.SCREEN_INVALID_STATE));
135                 data.setAction("");
136             }
137         }
138 
139         // Comply with Turbine 4.0 standards
140         pipelineData.get(Turbine.class).put(User.class, data.getUser());
141     }
142 }