001package org.apache.turbine.modules.actions.sessionvalidator;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.configuration.Configuration;
023import org.apache.commons.lang.StringUtils;
024import org.apache.commons.logging.Log;
025import org.apache.commons.logging.LogFactory;
026import org.apache.turbine.Turbine;
027import org.apache.turbine.TurbineConstants;
028import org.apache.turbine.annotation.TurbineConfiguration;
029import org.apache.turbine.annotation.TurbineService;
030import org.apache.turbine.om.security.User;
031import org.apache.turbine.pipeline.PipelineData;
032import org.apache.turbine.services.security.SecurityService;
033import org.apache.turbine.util.RunData;
034
035/**
036 * The SessionValidator attempts to retrieve the User object from the
037 * Servlet API session that is associated with the request.  If the
038 * data cannot be retrieved, it is handled here.  If the user has not
039 * been marked as being logged into the system, the user is rejected
040 * and the screen is set to the screen.homepage value in
041 * TurbineResources.properties.
042 *
043 * <p>
044 *
045 * Other systems generally have a database table which stores this
046 * information, but we take advantage of the Servlet API here to save
047 * a hit to the database for each and every connection that a user
048 * makes.
049 *
050 * <p>
051 *
052 * This action is special in that it should only be executed by the
053 * Turbine servlet.
054 *
055 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
056 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
057 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
058 * @version $Id: DefaultSessionValidator.java 1695634 2015-08-13 00:35:47Z tv $
059 */
060public class DefaultSessionValidator
061    extends SessionValidator
062{
063    /** Logging */
064    private static Log log = LogFactory.getLog(DefaultSessionValidator.class);
065
066    @TurbineService
067    private SecurityService security;
068
069    @TurbineConfiguration
070    private Configuration conf;
071
072    /**
073     * Execute the action.  The default is to populate the PipelineData
074     * object and, if the user is unknown, to force a login screen (as
075     * set in the tr.props).
076     *
077     * @see org.apache.turbine.modules.screens.error.InvalidState
078     * @param pipelineData Turbine PipelineData context information.
079     * @throws Exception The anonymous user could not be obtained
080     *         from the security service
081     */
082    @Override
083    public void doPerform(PipelineData pipelineData)
084            throws Exception
085    {
086        RunData data = getRunData(pipelineData);
087        // Pull user from session.
088        data.populate();
089
090        // The user may have not logged in, so create a "guest/anonymous" user.
091        if (data.getUser() == null)
092        {
093            log.debug("Fixing up empty User Object!");
094            User anonymousUser = security.getAnonymousUser();
095            data.setUser(anonymousUser);
096            data.save();
097        }
098
099        // Make sure the User has logged into the system.
100        if (!data.getUser().hasLoggedIn())
101        {
102            // only set the message if nothing else has already set it
103            // (e.g. the LogoutUser action).
104            if (StringUtils.isEmpty(data.getMessage()))
105            {
106                data.setMessage(conf.getString(TurbineConstants.LOGIN_MESSAGE));
107            }
108
109            // set the screen to be the login page
110            data.setScreen(conf.getString(TurbineConstants.SCREEN_LOGIN));
111
112            // We're not doing any actions buddy! (except action.login which
113            // will have been performed already)
114            data.setAction(null);
115        }
116
117        if (!data.hasScreen())
118        {
119            data.setMessage(conf.getString(
120                    TurbineConstants.LOGIN_MESSAGE_NOSCREEN));
121            data.setScreen(conf.getString(TurbineConstants.SCREEN_HOMEPAGE));
122        }
123
124        if (data.getParameters().containsKey("_session_access_counter"))
125        {
126            // See comments in screens.error.InvalidState.
127            if (data.getParameters().getInt("_session_access_counter")
128                    < (((Integer) data.getUser().getTemp(
129                    "_session_access_counter")).intValue() - 1))
130            {
131                data.getUser().setTemp("prev_screen", data.getScreen());
132                data.getUser().setTemp("prev_parameters", data.getParameters());
133                data.setScreen(conf.getString(
134                        TurbineConstants.SCREEN_INVALID_STATE));
135                data.setAction("");
136            }
137        }
138
139        // Comply with Turbine 4.0 standards
140        pipelineData.get(Turbine.class).put(User.class, data.getUser());
141    }
142}