001    package org.apache.turbine.modules.actions;
002    
003    /*
004     * Licensed to the Apache Software Foundation (ASF) under one
005     * or more contributor license agreements.  See the NOTICE file
006     * distributed with this work for additional information
007     * regarding copyright ownership.  The ASF licenses this file
008     * to you under the Apache License, Version 2.0 (the
009     * "License"); you may not use this file except in compliance
010     * with the License.  You may obtain a copy of the License at
011     *
012     *   http://www.apache.org/licenses/LICENSE-2.0
013     *
014     * Unless required by applicable law or agreed to in writing,
015     * software distributed under the License is distributed on an
016     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017     * KIND, either express or implied.  See the License for the
018     * specific language governing permissions and limitations
019     * under the License.
020     */
021    
022    import org.apache.commons.logging.Log;
023    import org.apache.commons.logging.LogFactory;
024    
025    import org.apache.turbine.modules.Action;
026    import org.apache.turbine.services.security.TurbineSecurity;
027    import org.apache.turbine.util.RunData;
028    import org.apache.turbine.util.security.AccessControlList;
029    import org.apache.turbine.util.security.TurbineSecurityException;
030    
031    import org.apache.turbine.om.security.User;
032    import org.apache.turbine.pipeline.PipelineData;
033    
034    /**
035     * This action doPerforms an Access Control List and places it into
036     * the RunData object, so it is easily available to modules.  The ACL
037     * is also placed into the session.  Modules can null out the ACL to
038     * force it to be rebuilt based on more information.
039     *
040     * <p>
041     *
042     * Turbine uses a User-Role-Permission arrangement for access control.
043     * Users are assigned Roles.  Roles are assigned Permissions.  Turbine
044     * modules then check the Permission required for an action or
045     * information with the set of Permissions currently associated with
046     * the session (which are dependent on the user associated with the
047     * session.)
048     *
049     * <p>
050     *
051     * The criteria for assigning Roles/Permissions is application
052     * dependent, in some cases an application may change a User's Roles
053     * during the session.  To achieve flexibility, the ACL takes an
054     * Object parameter, which the application can use to doPerform the
055     * ACL.
056     *
057     * <p>
058     *
059     * This action is special in that it should only be executed by the
060     * Turbine servlet.
061     *
062     * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
063     * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a>
064     * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a>
065     * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
066     * @version $Id: AccessController.java 1066529 2011-02-02 17:01:46Z ludwig $
067     */
068    public class AccessController
069            extends Action
070    {
071    
072        /** Logging */
073        private static Log log = LogFactory.getLog(AccessController.class);
074    
075        /**
076         * If there is a user and the user is logged in, doPerform will
077         * set the RunData ACL.  The list is first sought from the current
078         * session, otherwise it is loaded through
079         * <code>TurbineSecurity.getACL()</code> and added to the current
080         * session.
081         * @deprecated Use PipelineData version instead.
082         * @see org.apache.turbine.services.security.TurbineSecurity
083         * @param data Turbine information.
084         * @exception TurbineSecurityException problem with the security service.
085         */
086        @Deprecated
087        @Override
088        public void doPerform(RunData data)
089                throws TurbineSecurityException
090        {
091            User user = data.getUser();
092    
093            if (!TurbineSecurity.isAnonymousUser(user)
094                && user.hasLoggedIn())
095            {
096                log.debug("Fetching ACL for " + user.getName());
097                AccessControlList acl = (AccessControlList)
098                        data.getSession().getAttribute(
099                                AccessControlList.SESSION_KEY);
100                if (acl == null)
101                {
102                    log.debug("No ACL found in Session, building fresh ACL");
103                    acl = TurbineSecurity.getACL(user);
104                    data.getSession().setAttribute(
105                            AccessControlList.SESSION_KEY, acl);
106    
107                    log.debug("ACL is " + acl);
108                }
109                data.setACL(acl);
110            }
111        }
112    
113        /**
114         * If there is a user and the user is logged in, doPerform will
115         * set the RunData ACL.  The list is first sought from the current
116         * session, otherwise it is loaded through
117         * <code>TurbineSecurity.getACL()</code> and added to the current
118         * session.
119         *
120         * @see org.apache.turbine.services.security.TurbineSecurity
121         * @param data Turbine information.
122         * @exception TurbineSecurityException problem with the security service.
123         */
124        @Override
125        public void doPerform(PipelineData pipelineData)
126            throws TurbineSecurityException
127        {
128            RunData data = getRunData(pipelineData);
129            doPerform(data);
130        }
131    }