001package org.apache.turbine.modules.actions;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.configuration.Configuration;
023import org.apache.fulcrum.security.util.FulcrumSecurityException;
024import org.apache.turbine.TurbineConstants;
025import org.apache.turbine.annotation.TurbineConfiguration;
026import org.apache.turbine.annotation.TurbineService;
027import org.apache.turbine.modules.Action;
028import org.apache.turbine.om.security.User;
029import org.apache.turbine.pipeline.PipelineData;
030import org.apache.turbine.services.security.SecurityService;
031import org.apache.turbine.util.RunData;
032
033/**
034 * This action removes a user from the session. It makes sure to save
035 * the User object in the session.
036 *
037 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
038 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
039 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
040 * @version $Id: LogoutUser.java 1706239 2015-10-01 13:18:35Z tv $
041 */
042public class LogoutUser
043        extends Action
044{
045    /** Injected service instance */
046    @TurbineService
047    private SecurityService security;
048
049    /** Injected configuration instance */
050    @TurbineConfiguration
051    private Configuration conf;
052
053    /**
054     * Clears the PipelineData user object back to an anonymous status not
055     * logged in, and with a null ACL.  If the tr.props ACTION_LOGIN
056     * is anything except "LogoutUser", flow is transfered to the
057     * SCREEN_HOMEPAGE
058     *
059     * If this action name is the value of action.logout then we are
060     * being run before the session validator, so we don't need to
061     * set the screen (we assume that the session validator will handle
062     * that). This is basically still here simply to preserve old behaviour
063     * - it is recommended that action.logout is set to "LogoutUser" and
064     * that the session validator does handle setting the screen/template
065     * for a logged out (read not-logged-in) user.
066     *
067     * @param pipelineData Turbine information.
068     * @exception FulcrumSecurityException a problem occurred in the security
069     *            service.
070     */
071    @Override
072    public void doPerform(PipelineData pipelineData)
073            throws FulcrumSecurityException
074    {
075        RunData data = getRunData(pipelineData);
076        User user = data.getUser();
077
078        if (!security.isAnonymousUser(user))
079        {
080            // Make sure that the user has really logged in...
081            if (!user.hasLoggedIn())
082            {
083                return;
084            }
085
086            user.setHasLoggedIn(Boolean.FALSE);
087            security.saveUser(user);
088        }
089
090        data.setMessage(conf.getString(TurbineConstants.LOGOUT_MESSAGE));
091
092        // This will cause the acl to be removed from the session in
093        // the Turbine servlet code.
094        data.setACL(null);
095
096        // Retrieve an anonymous user.
097        User anonymousUser = security.getAnonymousUser();
098        data.setUser(anonymousUser);
099        data.save();
100
101        // In the event that the current screen or related navigations
102        // require acl info, we cannot wait for Turbine to handle
103        // regenerating acl.
104        data.getSession().removeAttribute(TurbineConstants.ACL_SESSION_KEY);
105
106        // If this action name is the value of action.logout then we are
107        // being run before the session validator, so we don't need to
108        // set the screen (we assume that the session validator will handle
109        // that). This is basically still here simply to preserve old behavior
110        // - it is recommended that action.logout is set to "LogoutUser" and
111        // that the session validator does handle setting the screen/template
112        // for a logged out (read not-logged-in) user.
113        if (!conf.getString(TurbineConstants.ACTION_LOGOUT_KEY,
114                            TurbineConstants.ACTION_LOGOUT_DEFAULT)
115            .equals(TurbineConstants.ACTION_LOGOUT_DEFAULT))
116        {
117            data.setScreen(conf.getString(TurbineConstants.SCREEN_HOMEPAGE));
118        }
119    }
120}