Source code

001package org.apache.turbine.modules.screens;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import java.lang.reflect.Method;
023
024import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList;
025import org.apache.turbine.annotation.AnnotationProcessor;
026import org.apache.turbine.annotation.AnnotationProcessor.ConditionType;
027import org.apache.turbine.annotation.TurbineRequiredRole;
028import org.apache.turbine.pipeline.PipelineData;
029import org.apache.turbine.util.RunData;
030
031public class PlainJSONSecureAnnotatedScreen extends PlainJSONScreen
032{
033
034    /**
035     * This method overrides the method in JSONScreen to perform a security
036     * check prior to producing the output.
037     *
038     * @param pipelineData Turbine information.
039     * @throws Exception a generic exception.
040     */
041    @Override
042    public void doOutput(PipelineData pipelineData) throws Exception
043    {
044        if (isAuthorized(pipelineData))
045        {
046            super.doOutput(pipelineData);
047        }
048    }
049
050    /**
051     * Use this method to perform the necessary security check with Turbine annotations {@link TurbineRequiredRole} in
052     * a newly overridden {@link #doOutput(PipelineData)} method.
053     *
054     * @param pipelineData Turbine information.
055     * @return <code>true</code> if the user is authorized to access the screen, by default it is required ACL is populated.
056     * If {@link TurbineRequiredRole} is not set, it is allowed by default
057     * @throws Exception A generic exception.
058     */
059    protected boolean isAuthorized(PipelineData pipelineData) throws Exception {
060        RunData data = pipelineData.getRunData();
061        Method[] methods = getClass().getMethods();
062        for (Method m : methods) {
063            if (m.getName().equals( "doOutput" )) {
064                if ((TurbineAccessControlList)data.getACL() == null) return false;
065                return AnnotationProcessor.isAuthorized( m, (TurbineAccessControlList)data.getACL(), ConditionType.ANY );
066            }
067        }
068        return false;
069    }
070}