View Javadoc
1   package org.apache.turbine.modules.actions.sessionvalidator;
2   
3   import org.apache.turbine.TurbineConstants;
4   import org.apache.turbine.annotation.TurbineConfiguration;
5   import org.apache.turbine.annotation.TurbineService;
6   
7   /*
8    * Licensed to the Apache Software Foundation (ASF) under one
9    * or more contributor license agreements.  See the NOTICE file
10   * distributed with this work for additional information
11   * regarding copyright ownership.  The ASF licenses this file
12   * to you under the Apache License, Version 2.0 (the
13   * "License"); you may not use this file except in compliance
14   * with the License.  You may obtain a copy of the License at
15   *
16   *   http://www.apache.org/licenses/LICENSE-2.0
17   *
18   * Unless required by applicable law or agreed to in writing,
19   * software distributed under the License is distributed on an
20   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
21   * KIND, either express or implied.  See the License for the
22   * specific language governing permissions and limitations
23   * under the License.
24   */
25  
26  import org.apache.turbine.modules.Action;
27  import org.apache.turbine.services.security.SecurityService;
28  import org.apache.turbine.util.RunData;
29  
30  /**
31   * The SessionValidator attempts to retrieve the User object from the
32   * Servlet API session that is associated with the request.  If the
33   * data cannot be retrieved, it is handled here.  If the user has not
34   * been marked as being logged into the system, the user is rejected
35   * and the screen is set to the screen.homepage value in
36   * TurbineResources.properties.
37   *
38   * <p>
39   * Other systems generally have a database table which stores this
40   * information, but we take advantage of the Servlet API here to save
41   * a hit to the database for each and every connection that a user
42   * makes.
43   * </p>
44   *
45   * <p>
46   * This action is special in that it should only be executed by the
47   * Turbine servlet.
48   * </p>
49   *
50   * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
51   * @version $Id: SessionValidator.java 1854786 2019-03-04 18:29:18Z tv $
52   */
53  public abstract class SessionValidator implements Action
54  {
55  
56      @TurbineService
57      protected SecurityService security;
58  
59      @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE )
60      protected String templateHomepage;
61  
62      @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
63      protected String screenHomepage;
64  
65      @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE )
66      protected String templateInvalidState;
67  
68      @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
69      protected String screenInvalidState;
70  
71      // the session_access_counter can be placed as a hidden field in
72      // forms.  This can be used to prevent a user from using the
73      // browsers back button and submitting stale data.
74      /**
75       *
76       * @param data RunData object
77       * @param screenOnly {@link DefaultSessionValidator}
78       */
79      protected void handleFormCounterToken( RunData data, boolean screenOnly )
80      {
81          if (data.getParameters().containsKey("_session_access_counter"))
82          {
83              if (screenOnly) {
84                  // See comments in screens.error.InvalidState.
85                  if (data.getParameters().getInt("_session_access_counter")
86                          < (((Integer) data.getUser().getTemp(
87                          "_session_access_counter")).intValue() - 1))
88                  {
89                      data.getUser().setTemp("prev_screen", data.getScreen());
90                      data.getUser().setTemp("prev_parameters", data.getParameters());
91                      data.setScreen(screenInvalidState);
92                      data.setAction("");
93                  }
94              } else {
95                  if (!security.isAnonymousUser(data.getUser()))
96                  {
97                      // See comments in screens.error.InvalidState.
98                      if (data.getParameters().getInt("_session_access_counter")
99                              < (((Integer) data.getUser().getTemp(
100                             "_session_access_counter")).intValue() - 1))
101                     {
102                         if (data.getTemplateInfo().getScreenTemplate() != null)
103                         {
104                             data.getUser().setTemp("prev_template",
105                                     data.getTemplateInfo().getScreenTemplate()
106                                     .replace('/', ','));
107                             data.getTemplateInfo().setScreenTemplate(templateInvalidState);
108                         }
109                         else
110                         {
111                             data.getUser().setTemp("prev_screen",
112                                                    data.getScreen().replace('/', ','));
113                             data.setScreen(screenInvalidState);
114                         }
115                         data.getUser().setTemp("prev_parameters", data.getParameters());
116                         data.setAction("");
117                     }
118                 }
119             }
120         }
121 
122     }
123     // empty
124 }