001package org.apache.turbine.modules.actions.sessionvalidator; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.commons.lang3.StringUtils; 023import org.apache.logging.log4j.LogManager; 024import org.apache.logging.log4j.Logger; 025import org.apache.turbine.Turbine; 026import org.apache.turbine.TurbineConstants; 027import org.apache.turbine.annotation.TurbineConfiguration; 028import org.apache.turbine.om.security.User; 029import org.apache.turbine.pipeline.PipelineData; 030import org.apache.turbine.util.RunData; 031 032/** 033 * SessionValidator that requires login for use with Template Services 034 * like Velocity or WebMacro. 035 * 036 * <br> 037 * 038 * Templating services requires a different Session Validator 039 * because of the way it handles screens. If you use the WebMacro or 040 * Velocity Service with the {@link DefaultSessionValidator}, users will be able to 041 * bypass login by directly addressing the template using 042 * template/index.wm. This is because the Page class looks for the 043 * keyword "template" in the Path information and if it finds it will 044 * reset the screen using it's lookup mechanism and thereby bypass 045 * Login. 046 * 047 * Note that you will need to set the template.login property to the 048 * login template. 049 * 050 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 051 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 052 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 053 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 054 * @version $Id$ 055 */ 056public class TemplateSecureSessionValidator 057 extends SessionValidator 058{ 059 /** Logging */ 060 private static Logger log = LogManager.getLogger( 061 TemplateSecureSessionValidator.class); 062 063 064 @TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE ) 065 private String loginMessage; 066 067 @TurbineConfiguration( TurbineConstants.TEMPLATE_LOGIN ) 068 private String templateLogin; 069 070 071 /** 072 * doPerform is virtually identical to DefaultSessionValidator 073 * except that it calls template methods instead of bare screen 074 * methods. For example, it uses <code>setScreenTemplate</code> to 075 * load the tr.props TEMPLATE_LOGIN instead of the default's 076 * setScreen to TurbineConstants.SCREEN_LOGIN. 077 * 078 * @see DefaultSessionValidator 079 * @param pipelineData Turbine information. 080 * @throws Exception The anonymous user could not be obtained 081 * from the security service 082 */ 083 @Override 084 public void doPerform(PipelineData pipelineData) 085 throws Exception 086 { 087 RunData data = pipelineData.getRunData(); 088 // Pull user from session. 089 data.populate(); 090 091 // The user may have not logged in, so create a "guest/anonymous" user. 092 if (data.getUser() == null) 093 { 094 log.debug("Creating an anonymous user object!"); 095 User anonymousUser = security.getAnonymousUser(); 096 data.setUser(anonymousUser); 097 data.save(); 098 } 099 100 // This is the secure session validator, so user must be logged in. 101 if (!data.getUser().hasLoggedIn()) 102 { 103 log.debug("User is not logged in!"); 104 105 // only set the message if nothing else has already set it 106 // (e.g. the LogoutUser action). 107 if (StringUtils.isEmpty(data.getMessage())) 108 { 109 data.setMessage(loginMessage); 110 } 111 112 // Set the screen template to the login page. 113 log.debug("Sending User to the Login Screen ({})", templateLogin); 114 data.getTemplateInfo().setScreenTemplate(templateLogin); 115 116 // We're not doing any actions buddy! (except action.login which 117 // will have been performed already) 118 data.setAction(null); 119 } 120 121 log.debug("Login Check finished!"); 122 123 // Make sure we have some way to return a response. 124 if (!data.hasScreen() && StringUtils.isEmpty( 125 data.getTemplateInfo().getScreenTemplate())) 126 { 127 if (StringUtils.isNotEmpty(templateHomepage)) 128 { 129 data.getTemplateInfo().setScreenTemplate(templateHomepage); 130 } 131 else 132 { 133 data.setScreen(screenHomepage); 134 } 135 } else { 136 handleFormCounterToken(data, false); 137 } 138 139 // We do not want to allow both a screen and template parameter. 140 // The template parameter is dominant. 141 if (data.getTemplateInfo().getScreenTemplate() != null) 142 { 143 data.setScreen(null); 144 } 145 146 // Comply with Turbine 4.0 standards 147 pipelineData.get(Turbine.class).put(User.class, data.getUser()); 148 } 149}