1 package org.apache.turbine.modules.actions; 2 3 /* 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 */ 21 22 import org.apache.commons.logging.Log; 23 import org.apache.commons.logging.LogFactory; 24 import org.apache.fulcrum.security.acl.AccessControlList; 25 import org.apache.fulcrum.security.util.FulcrumSecurityException; 26 import org.apache.turbine.Turbine; 27 import org.apache.turbine.TurbineConstants; 28 import org.apache.turbine.annotation.TurbineService; 29 import org.apache.turbine.modules.Action; 30 import org.apache.turbine.om.security.User; 31 import org.apache.turbine.pipeline.PipelineData; 32 import org.apache.turbine.services.security.SecurityService; 33 import org.apache.turbine.util.RunData; 34 35 /** 36 * This action doPerforms an Access Control List and places it into 37 * the RunData object, so it is easily available to modules. The ACL 38 * is also placed into the session. Modules can null out the ACL to 39 * force it to be rebuilt based on more information. 40 * 41 * <p> 42 * 43 * Turbine uses a User-Role-Permission arrangement for access control. 44 * Users are assigned Roles. Roles are assigned Permissions. Turbine 45 * modules then check the Permission required for an action or 46 * information with the set of Permissions currently associated with 47 * the session (which are dependent on the user associated with the 48 * session.) 49 * 50 * <p> 51 * 52 * The criteria for assigning Roles/Permissions is application 53 * dependent, in some cases an application may change a User's Roles 54 * during the session. To achieve flexibility, the ACL takes an 55 * Object parameter, which the application can use to doPerform the 56 * ACL. 57 * 58 * <p> 59 * 60 * This action is special in that it should only be executed by the 61 * Turbine servlet. 62 * 63 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 64 * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a> 65 * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a> 66 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 67 * @version $Id: AccessController.java 1706239 2015-10-01 13:18:35Z tv $ 68 */ 69 public class AccessController 70 extends Action 71 { 72 73 /** Logging */ 74 private static Log log = LogFactory.getLog(AccessController.class); 75 76 /** Injected service instance */ 77 @TurbineService 78 private SecurityService security; 79 80 /** 81 * If there is a user and the user is logged in, doPerform will 82 * set the RunData ACL. The list is first sought from the current 83 * session, otherwise it is loaded through 84 * <code>TurbineSecurity.getACL()</code> and added to the current 85 * session. 86 * 87 * @param pipelineData Turbine information. 88 * @exception FulcrumSecurityException problem with the security service. 89 */ 90 @Override 91 public void doPerform(PipelineData pipelineData) 92 throws FulcrumSecurityException 93 { 94 RunData data = getRunData(pipelineData); 95 User user = data.getUser(); 96 97 if (!security.isAnonymousUser(user) 98 && user.hasLoggedIn()) 99 { 100 log.debug("Fetching ACL for " + user.getName()); 101 AccessControlList acl = (AccessControlList) 102 data.getSession().getAttribute( 103 TurbineConstants.ACL_SESSION_KEY); 104 if (acl == null) 105 { 106 log.debug("No ACL found in Session, building fresh ACL"); 107 acl = security.getACL(user); 108 data.getSession().setAttribute( 109 TurbineConstants.ACL_SESSION_KEY, acl); 110 111 log.debug("ACL is " + acl); 112 } 113 data.setACL(acl); 114 } 115 116 // Comply with Turbine 4.0 standards 117 pipelineData.get(Turbine.class).put(AccessControlList.class, data.getACL()); 118 } 119 }