1 package org.apache.turbine.modules.actions.sessionvalidator;
2
3 /*
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
19 * under the License.
20 */
21
22 import org.apache.commons.lang.StringUtils;
23 import org.apache.commons.logging.Log;
24 import org.apache.commons.logging.LogFactory;
25 import org.apache.turbine.Turbine;
26 import org.apache.turbine.TurbineConstants;
27 import org.apache.turbine.annotation.TurbineConfiguration;
28 import org.apache.turbine.annotation.TurbineService;
29 import org.apache.turbine.om.security.User;
30 import org.apache.turbine.pipeline.PipelineData;
31 import org.apache.turbine.services.security.SecurityService;
32 import org.apache.turbine.util.RunData;
33
34 /**
35 * SessionValidator that requires login for use with Template Services
36 * like Velocity or WebMacro.
37 *
38 * <br>
39 *
40 * Templating services requires a different Session Validator
41 * because of the way it handles screens. If you use the WebMacro or
42 * Velocity Service with the {@link DefaultSessionValidator}, users will be able to
43 * bypass login by directly addressing the template using
44 * template/index.wm. This is because the Page class looks for the
45 * keyword "template" in the Path information and if it finds it will
46 * reset the screen using it's lookup mechanism and thereby bypass
47 * Login.
48 *
49 * Note that you will need to set the template.login property to the
50 * login template.
51 *
52 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
53 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
54 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
55 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
56 * @version $Id: TemplateSecureSessionValidator.java 1812601 2017-10-19 06:40:28Z gk $
57 */
58 public class TemplateSecureSessionValidator
59 extends SessionValidator
60 {
61 /** Logging */
62 private static Log log = LogFactory.getLog(
63 TemplateSecureSessionValidator.class);
64
65
66 @TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE )
67 private String loginMessage;
68
69 @TurbineConfiguration( TurbineConstants.TEMPLATE_LOGIN )
70 private String templateLogin;
71
72
73 /**
74 * doPerform is virtually identical to DefaultSessionValidator
75 * except that it calls template methods instead of bare screen
76 * methods. For example, it uses <code>setScreenTemplate</code> to
77 * load the tr.props TEMPLATE_LOGIN instead of the default's
78 * setScreen to TurbineConstants.SCREEN_LOGIN.
79 *
80 * @see DefaultSessionValidator
81 * @param pipelineData Turbine information.
82 * @throws Exception The anonymous user could not be obtained
83 * from the security service
84 */
85 @Override
86 public void doPerform(PipelineData pipelineData)
87 throws Exception
88 {
89 RunData data = getRunData(pipelineData);
90 // Pull user from session.
91 data.populate();
92
93 // The user may have not logged in, so create a "guest/anonymous" user.
94 if (data.getUser() == null)
95 {
96 log.debug("Fixing up empty User Object!");
97 User anonymousUser = security.getAnonymousUser();
98 data.setUser(anonymousUser);
99 data.save();
100 }
101
102 // This is the secure session validator, so user must be logged in.
103 if (!data.getUser().hasLoggedIn())
104 {
105 log.debug("User is not logged in!");
106
107 // only set the message if nothing else has already set it
108 // (e.g. the LogoutUser action).
109 if (StringUtils.isEmpty(data.getMessage()))
110 {
111 data.setMessage(loginMessage);
112 }
113
114 // Set the screen template to the login page.
115 log.debug("Sending User to the Login Screen ("
116 + templateLogin + ")");
117 data.getTemplateInfo().setScreenTemplate(templateLogin);
118
119 // We're not doing any actions buddy! (except action.login which
120 // will have been performed already)
121 data.setAction(null);
122 }
123
124 log.debug("Login Check finished!");
125
126 // Make sure we have some way to return a response.
127 if (!data.hasScreen() && StringUtils.isEmpty(
128 data.getTemplateInfo().getScreenTemplate()))
129 {
130 if (StringUtils.isNotEmpty(templateHomepage))
131 {
132 data.getTemplateInfo().setScreenTemplate(templateHomepage);
133 }
134 else
135 {
136 data.setScreen(screenHomepage);
137 }
138 } else {
139 handleFormCounterToken(data, false);
140 }
141
142 // We do not want to allow both a screen and template parameter.
143 // The template parameter is dominant.
144 if (data.getTemplateInfo().getScreenTemplate() != null)
145 {
146 data.setScreen(null);
147 }
148
149 // Comply with Turbine 4.0 standards
150 pipelineData.get(Turbine.class).put(User.class, data.getUser());
151 }
152 }