001package org.apache.turbine.modules.screens; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import java.lang.reflect.Method; 023 024import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList; 025import org.apache.turbine.annotation.AnnotationProcessor; 026import org.apache.turbine.annotation.AnnotationProcessor.ConditionType; 027import org.apache.turbine.annotation.TurbineRequiredRole; 028import org.apache.turbine.pipeline.PipelineData; 029import org.apache.turbine.util.RunData; 030 031public class PlainJSONSecureAnnotatedScreen extends PlainJSONScreen 032{ 033 034 /** 035 * This method overrides the method in JSONScreen to perform a security 036 * check prior to producing the output. 037 * 038 * @param pipelineData Turbine information. 039 * @throws Exception a generic exception. 040 */ 041 @Override 042 public void doOutput(PipelineData pipelineData) throws Exception 043 { 044 if (isAuthorized(pipelineData)) 045 { 046 super.doOutput(pipelineData); 047 } 048 } 049 050 /** 051 * Use this method to perform the necessary security check with Turbine annotations {@link TurbineRequiredRole} in 052 * a newly overridden {@link #doOutput(PipelineData)} method. 053 * 054 * @param pipelineData Turbine information. 055 * @return <code>true</code> if the user is authorized to access the screen, by default it is required ACL is populated. 056 * If {@link TurbineRequiredRole} is not set, it is allowed by default 057 * @throws Exception A generic exception. 058 */ 059 protected boolean isAuthorized(PipelineData pipelineData) throws Exception { 060 RunData data = pipelineData.getRunData(); 061 Method[] methods = getClass().getMethods(); 062 for (Method m : methods) { 063 if (m.getName().equals( "doOutput" )) { 064 if ((TurbineAccessControlList)data.getACL() == null) return false; 065 return AnnotationProcessor.isAuthorized( m, (TurbineAccessControlList)data.getACL(), ConditionType.ANY ); 066 } 067 } 068 return false; 069 } 070}