001package org.apache.turbine.modules.actions;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.logging.Log;
023import org.apache.commons.logging.LogFactory;
024import org.apache.fulcrum.security.acl.AccessControlList;
025import org.apache.fulcrum.security.util.FulcrumSecurityException;
026import org.apache.turbine.Turbine;
027import org.apache.turbine.TurbineConstants;
028import org.apache.turbine.annotation.TurbineService;
029import org.apache.turbine.modules.Action;
030import org.apache.turbine.om.security.User;
031import org.apache.turbine.pipeline.PipelineData;
032import org.apache.turbine.services.security.SecurityService;
033import org.apache.turbine.util.RunData;
034
035/**
036 * This action doPerforms an Access Control List and places it into
037 * the RunData object, so it is easily available to modules.  The ACL
038 * is also placed into the session.  Modules can null out the ACL to
039 * force it to be rebuilt based on more information.
040 *
041 * <p>
042 *
043 * Turbine uses a User-Role-Permission arrangement for access control.
044 * Users are assigned Roles.  Roles are assigned Permissions.  Turbine
045 * modules then check the Permission required for an action or
046 * information with the set of Permissions currently associated with
047 * the session (which are dependent on the user associated with the
048 * session.)
049 *
050 * <p>
051 *
052 * The criteria for assigning Roles/Permissions is application
053 * dependent, in some cases an application may change a User's Roles
054 * during the session.  To achieve flexibility, the ACL takes an
055 * Object parameter, which the application can use to doPerform the
056 * ACL.
057 *
058 * <p>
059 *
060 * This action is special in that it should only be executed by the
061 * Turbine servlet.
062 *
063 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
064 * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a>
065 * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a>
066 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
067 * @version $Id: AccessController.java 1706239 2015-10-01 13:18:35Z tv $
068 */
069public class AccessController
070        extends Action
071{
072
073    /** Logging */
074    private static Log log = LogFactory.getLog(AccessController.class);
075
076    /** Injected service instance */
077    @TurbineService
078    private SecurityService security;
079
080    /**
081     * If there is a user and the user is logged in, doPerform will
082     * set the RunData ACL.  The list is first sought from the current
083     * session, otherwise it is loaded through
084     * <code>TurbineSecurity.getACL()</code> and added to the current
085     * session.
086     *
087     * @param pipelineData Turbine information.
088     * @exception FulcrumSecurityException problem with the security service.
089     */
090    @Override
091    public void doPerform(PipelineData pipelineData)
092        throws FulcrumSecurityException
093    {
094        RunData data = getRunData(pipelineData);
095        User user = data.getUser();
096
097        if (!security.isAnonymousUser(user)
098            && user.hasLoggedIn())
099        {
100            log.debug("Fetching ACL for " + user.getName());
101            AccessControlList acl = (AccessControlList)
102                    data.getSession().getAttribute(
103                            TurbineConstants.ACL_SESSION_KEY);
104            if (acl == null)
105            {
106                log.debug("No ACL found in Session, building fresh ACL");
107                acl = security.getACL(user);
108                data.getSession().setAttribute(
109                        TurbineConstants.ACL_SESSION_KEY, acl);
110
111                log.debug("ACL is " + acl);
112            }
113            data.setACL(acl);
114        }
115
116        // Comply with Turbine 4.0 standards
117        pipelineData.get(Turbine.class).put(AccessControlList.class, data.getACL());
118    }
119}