001package org.apache.turbine.modules.actions; 002 003import org.apache.fulcrum.security.acl.AccessControlList; 004import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList; 005import org.apache.fulcrum.security.util.FulcrumSecurityException; 006import org.apache.logging.log4j.LogManager; 007 008/* 009 * Licensed to the Apache Software Foundation (ASF) under one 010 * or more contributor license agreements. See the NOTICE file 011 * distributed with this work for additional information 012 * regarding copyright ownership. The ASF licenses this file 013 * to you under the Apache License, Version 2.0 (the 014 * "License"); you may not use this file except in compliance 015 * with the License. You may obtain a copy of the License at 016 * 017 * http://www.apache.org/licenses/LICENSE-2.0 018 * 019 * Unless required by applicable law or agreed to in writing, 020 * software distributed under the License is distributed on an 021 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 022 * KIND, either express or implied. See the License for the 023 * specific language governing permissions and limitations 024 * under the License. 025 */ 026 027import org.apache.logging.log4j.Logger; 028import org.apache.turbine.Turbine; 029import org.apache.turbine.TurbineConstants; 030import org.apache.turbine.annotation.TurbineService; 031import org.apache.turbine.modules.Action; 032import org.apache.turbine.om.security.User; 033import org.apache.turbine.pipeline.PipelineData; 034import org.apache.turbine.services.security.SecurityService; 035import org.apache.turbine.util.RunData; 036 037/** 038 * This action doPerforms an Access Control List and places it into 039 * the RunData object, so it is easily available to modules. The ACL 040 * is also placed into the session. Modules can null out the ACL to 041 * force it to be rebuilt based on more information. 042 * 043 * <p> 044 * 045 * Turbine uses a User-Role-Permission arrangement for access control. 046 * Users are assigned Roles. Roles are assigned Permissions. Turbine 047 * modules then check the Permission required for an action or 048 * information with the set of Permissions currently associated with 049 * the session (which are dependent on the user associated with the 050 * session.) 051 * 052 * <p> 053 * 054 * The criteria for assigning Roles/Permissions is application 055 * dependent, in some cases an application may change a User's Roles 056 * during the session. To achieve flexibility, the ACL takes an 057 * Object parameter, which the application can use to doPerform the 058 * ACL. 059 * 060 * <p> 061 * 062 * This action is special in that it should only be executed by the 063 * Turbine servlet. 064 * 065 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 066 * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a> 067 * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a> 068 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 069 * @version $Id$ 070 */ 071public class AccessController implements Action 072{ 073 /** Logging */ 074 private static final Logger log = LogManager.getLogger(AccessController.class); 075 076 /** Injected service instance */ 077 @TurbineService 078 private SecurityService security; 079 080 /** 081 * If there is a user and the user is logged in, doPerform will 082 * set the RunData ACL. The list is first sought from the current 083 * session, otherwise it is loaded through 084 * <code>link {@link SecurityService#getACL(User)}</code> and added to the current 085 * session. 086 * 087 * @param pipelineData Turbine information. 088 * @throws FulcrumSecurityException problem with the security service. 089 */ 090 @Override 091 public void doPerform(PipelineData pipelineData) 092 throws FulcrumSecurityException 093 { 094 RunData data = pipelineData.getRunData(); 095 User user = data.getUser(); 096 097 if (!security.isAnonymousUser(user) 098 && user.hasLoggedIn()) 099 { 100 log.debug("Fetching ACL for {}", user::getName); 101 AccessControlList acl = (AccessControlList) 102 data.getSession().getAttribute( 103 TurbineConstants.ACL_SESSION_KEY); 104 if (acl == null) 105 { 106 log.debug("No ACL found in Session, building fresh ACL"); 107 acl = security.getACL(user); 108 data.getSession().setAttribute( 109 TurbineConstants.ACL_SESSION_KEY, acl); 110 111 log.debug("ACL is {}", acl); 112 } 113 data.setACL(acl); 114 } 115 116 // Comply with Turbine 4.0 standards 117 pipelineData.get(Turbine.class).put(TurbineAccessControlList.class, data.getACL()); 118 } 119}