001package org.apache.turbine.modules.actions.sessionvalidator;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.configuration.Configuration;
023import org.apache.commons.lang.StringUtils;
024import org.apache.commons.logging.Log;
025import org.apache.commons.logging.LogFactory;
026import org.apache.turbine.Turbine;
027import org.apache.turbine.TurbineConstants;
028import org.apache.turbine.annotation.TurbineConfiguration;
029import org.apache.turbine.annotation.TurbineService;
030import org.apache.turbine.om.security.User;
031import org.apache.turbine.pipeline.PipelineData;
032import org.apache.turbine.services.security.SecurityService;
033import org.apache.turbine.util.RunData;
034
035/**
036 * SessionValidator for use with the Template Service, the
037 * TemplateSessionValidator is virtually identical to the
038 * TemplateSecureValidator except that it does not transfer to the
039 * login page when it detects a null user (or a user not logged in).
040 *
041 * <p>The Template Service requires a different Session Validator
042 * because of the way it handles screens.
043 *
044 * <p>Note that you will need to set the template.login property to the
045 * login template.
046 *
047 * @see TemplateSecureSessionValidator
048 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
049 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
050 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
051 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
052 * @version $Id: TemplateSessionValidator.java 1695634 2015-08-13 00:35:47Z tv $
053 */
054public class TemplateSessionValidator
055    extends SessionValidator
056{
057    /** Logging */
058    private static Log log = LogFactory.getLog(TemplateSessionValidator.class);
059
060    @TurbineService
061    private SecurityService security;
062
063    @TurbineConfiguration
064    private Configuration conf;
065
066    /**
067     * Execute the action.
068     *
069     * @param pipelineData Turbine information.
070     * @exception Exception The anonymous user could not be obtained
071     *         from the security service
072     */
073    @Override
074    public void doPerform(PipelineData pipelineData) throws Exception
075    {
076        RunData data = getRunData(pipelineData);
077        // Pull user from session.
078        data.populate();
079
080        // The user may have not logged in, so create a "guest/anonymous" user.
081        if (data.getUser() == null)
082        {
083            log.debug("Fixing up empty User Object!");
084            User anonymousUser = security.getAnonymousUser();
085            data.setUser(anonymousUser);
086            data.save();
087        }
088
089        // make sure we have some way to return a response
090        if (!data.hasScreen() && StringUtils.isEmpty(
091                data.getTemplateInfo().getScreenTemplate()))
092        {
093            String template = conf.getString(
094                    TurbineConstants.TEMPLATE_HOMEPAGE);
095
096            if (StringUtils.isNotEmpty(template))
097            {
098                data.getTemplateInfo().setScreenTemplate(template);
099            }
100            else
101            {
102                data.setScreen(conf.getString(
103                        TurbineConstants.SCREEN_HOMEPAGE));
104            }
105        }
106        // the session_access_counter can be placed as a hidden field in
107        // forms.  This can be used to prevent a user from using the
108        // browsers back button and submitting stale data.
109        else if (data.getParameters().containsKey("_session_access_counter")
110                && !security.isAnonymousUser(data.getUser()))
111        {
112            // See comments in screens.error.InvalidState.
113            if (data.getParameters().getInt("_session_access_counter")
114                    < (((Integer) data.getUser().getTemp(
115                    "_session_access_counter")).intValue() - 1))
116            {
117                if (data.getTemplateInfo().getScreenTemplate() != null)
118                {
119                    data.getUser().setTemp("prev_template",
120                            data.getTemplateInfo().getScreenTemplate()
121                            .replace('/', ','));
122                    data.getTemplateInfo().setScreenTemplate(conf.getString(
123                            TurbineConstants.TEMPLATE_INVALID_STATE));
124                }
125                else
126                {
127                    data.getUser().setTemp("prev_screen",
128                                           data.getScreen().replace('/', ','));
129                    data.setScreen(conf.getString(
130                            TurbineConstants.SCREEN_INVALID_STATE));
131                }
132                data.getUser().setTemp("prev_parameters", data.getParameters());
133                data.setAction("");
134            }
135        }
136
137        // we do not want to allow both a screen and template parameter.
138        // The template parameter is dominant.
139        if (data.getTemplateInfo().getScreenTemplate() != null)
140        {
141            data.setScreen(null);
142        }
143
144        // Comply with Turbine 4.0 standards
145        pipelineData.get(Turbine.class).put(User.class, data.getUser());
146    }
147}