001package org.apache.turbine.modules.actions; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.fulcrum.security.util.FulcrumSecurityException; 023import org.apache.turbine.TurbineConstants; 024import org.apache.turbine.annotation.TurbineConfiguration; 025import org.apache.turbine.annotation.TurbineService; 026import org.apache.turbine.modules.Action; 027import org.apache.turbine.om.security.User; 028import org.apache.turbine.pipeline.PipelineData; 029import org.apache.turbine.services.security.SecurityService; 030import org.apache.turbine.util.RunData; 031 032/** 033 * This action removes a user from the session. It makes sure to save 034 * the User object in the session. 035 * 036 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 037 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 038 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 039 * @version $Id: LogoutUser.java 1773378 2016-12-09 13:19:59Z tv $ 040 */ 041public class LogoutUser 042 extends Action 043{ 044 /** Injected service instance */ 045 @TurbineService 046 private SecurityService security; 047 048 @TurbineConfiguration( TurbineConstants.LOGOUT_MESSAGE ) 049 private String logoutMessage; 050 051 @TurbineConfiguration( TurbineConstants.ACTION_LOGOUT_KEY ) 052 private String actionLogout = TurbineConstants.ACTION_LOGOUT_DEFAULT; 053 054 @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE ) 055 private String screenHomepage; 056 057 /** 058 * Clears the PipelineData user object back to an anonymous status not 059 * logged in, and with a null ACL. If the tr.props ACTION_LOGIN 060 * is anything except "LogoutUser", flow is transfered to the 061 * SCREEN_HOMEPAGE 062 * 063 * If this action name is the value of action.logout then we are 064 * being run before the session validator, so we don't need to 065 * set the screen (we assume that the session validator will handle 066 * that). This is basically still here simply to preserve old behavior 067 * - it is recommended that action.logout is set to "LogoutUser" and 068 * that the session validator does handle setting the screen/template 069 * for a logged out (read not-logged-in) user. 070 * 071 * @param pipelineData Turbine information. 072 * @throws FulcrumSecurityException a problem occurred in the security 073 * service. 074 */ 075 @Override 076 public void doPerform(PipelineData pipelineData) 077 throws FulcrumSecurityException 078 { 079 RunData data = getRunData(pipelineData); 080 081 // Session validator did not run, so RunData is not populated 082 User user = data.getUserFromSession(); 083 084 if (!security.isAnonymousUser(user)) 085 { 086 // Make sure that the user has really logged in... 087 if (!user.hasLoggedIn()) 088 { 089 return; 090 } 091 092 user.setHasLoggedIn(Boolean.FALSE); 093 security.saveUser(user); 094 } 095 096 data.setMessage(logoutMessage); 097 098 // This will cause the acl to be removed from the session in 099 // the Turbine servlet code. 100 data.setACL(null); 101 102 // Retrieve an anonymous user. 103 User anonymousUser = security.getAnonymousUser(); 104 data.setUser(anonymousUser); 105 data.save(); 106 107 // In the event that the current screen or related navigations 108 // require acl info, we cannot wait for Turbine to handle 109 // regenerating acl. 110 data.getSession().removeAttribute(TurbineConstants.ACL_SESSION_KEY); 111 112 // If this action name is the value of action.logout then we are 113 // being run before the session validator, so we don't need to 114 // set the screen (we assume that the session validator will handle 115 // that). This is basically still here simply to preserve old behavior 116 // - it is recommended that action.logout is set to "LogoutUser" and 117 // that the session validator does handle setting the screen/template 118 // for a logged out (read not-logged-in) user. 119 if (!actionLogout.equals(TurbineConstants.ACTION_LOGOUT_DEFAULT)) 120 { 121 data.setScreen(screenHomepage); 122 } 123 } 124}