001package org.apache.turbine.modules.actions; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.commons.configuration.Configuration; 023import org.apache.fulcrum.security.util.FulcrumSecurityException; 024import org.apache.turbine.TurbineConstants; 025import org.apache.turbine.annotation.TurbineConfiguration; 026import org.apache.turbine.annotation.TurbineService; 027import org.apache.turbine.modules.Action; 028import org.apache.turbine.om.security.User; 029import org.apache.turbine.pipeline.PipelineData; 030import org.apache.turbine.services.security.SecurityService; 031import org.apache.turbine.util.RunData; 032 033/** 034 * This action removes a user from the session. It makes sure to save 035 * the User object in the session. 036 * 037 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 038 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 039 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 040 * @version $Id: LogoutUser.java 1706239 2015-10-01 13:18:35Z tv $ 041 */ 042public class LogoutUser 043 extends Action 044{ 045 /** Injected service instance */ 046 @TurbineService 047 private SecurityService security; 048 049 /** Injected configuration instance */ 050 @TurbineConfiguration 051 private Configuration conf; 052 053 /** 054 * Clears the PipelineData user object back to an anonymous status not 055 * logged in, and with a null ACL. If the tr.props ACTION_LOGIN 056 * is anything except "LogoutUser", flow is transfered to the 057 * SCREEN_HOMEPAGE 058 * 059 * If this action name is the value of action.logout then we are 060 * being run before the session validator, so we don't need to 061 * set the screen (we assume that the session validator will handle 062 * that). This is basically still here simply to preserve old behaviour 063 * - it is recommended that action.logout is set to "LogoutUser" and 064 * that the session validator does handle setting the screen/template 065 * for a logged out (read not-logged-in) user. 066 * 067 * @param pipelineData Turbine information. 068 * @exception FulcrumSecurityException a problem occurred in the security 069 * service. 070 */ 071 @Override 072 public void doPerform(PipelineData pipelineData) 073 throws FulcrumSecurityException 074 { 075 RunData data = getRunData(pipelineData); 076 User user = data.getUser(); 077 078 if (!security.isAnonymousUser(user)) 079 { 080 // Make sure that the user has really logged in... 081 if (!user.hasLoggedIn()) 082 { 083 return; 084 } 085 086 user.setHasLoggedIn(Boolean.FALSE); 087 security.saveUser(user); 088 } 089 090 data.setMessage(conf.getString(TurbineConstants.LOGOUT_MESSAGE)); 091 092 // This will cause the acl to be removed from the session in 093 // the Turbine servlet code. 094 data.setACL(null); 095 096 // Retrieve an anonymous user. 097 User anonymousUser = security.getAnonymousUser(); 098 data.setUser(anonymousUser); 099 data.save(); 100 101 // In the event that the current screen or related navigations 102 // require acl info, we cannot wait for Turbine to handle 103 // regenerating acl. 104 data.getSession().removeAttribute(TurbineConstants.ACL_SESSION_KEY); 105 106 // If this action name is the value of action.logout then we are 107 // being run before the session validator, so we don't need to 108 // set the screen (we assume that the session validator will handle 109 // that). This is basically still here simply to preserve old behavior 110 // - it is recommended that action.logout is set to "LogoutUser" and 111 // that the session validator does handle setting the screen/template 112 // for a logged out (read not-logged-in) user. 113 if (!conf.getString(TurbineConstants.ACTION_LOGOUT_KEY, 114 TurbineConstants.ACTION_LOGOUT_DEFAULT) 115 .equals(TurbineConstants.ACTION_LOGOUT_DEFAULT)) 116 { 117 data.setScreen(conf.getString(TurbineConstants.SCREEN_HOMEPAGE)); 118 } 119 } 120}