001package org.apache.turbine.modules.actions.sessionvalidator;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.lang.StringUtils;
023import org.apache.commons.logging.Log;
024import org.apache.commons.logging.LogFactory;
025import org.apache.turbine.Turbine;
026import org.apache.turbine.TurbineConstants;
027import org.apache.turbine.annotation.TurbineConfiguration;
028import org.apache.turbine.annotation.TurbineService;
029import org.apache.turbine.om.security.User;
030import org.apache.turbine.pipeline.PipelineData;
031import org.apache.turbine.services.security.SecurityService;
032import org.apache.turbine.util.RunData;
033
034/**
035 * SessionValidator that requires login for use with Template Services
036 * like Velocity or WebMacro.
037 *
038 * <br>
039 *
040 * Templating services requires a different Session Validator
041 * because of the way it handles screens.  If you use the WebMacro or
042 * Velocity Service with the {@link DefaultSessionValidator}, users will be able to
043 * bypass login by directly addressing the template using
044 * template/index.wm.  This is because the Page class looks for the
045 * keyword "template" in the Path information and if it finds it will
046 * reset the screen using it's lookup mechanism and thereby bypass
047 * Login.
048 *
049 * Note that you will need to set the template.login property to the
050 * login template.
051 *
052 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
053 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
054 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
055 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
056 * @version $Id: TemplateSecureSessionValidator.java 1812601 2017-10-19 06:40:28Z gk $
057 */
058public class TemplateSecureSessionValidator
059    extends SessionValidator
060{
061    /** Logging */
062    private static Log log = LogFactory.getLog(
063            TemplateSecureSessionValidator.class);
064
065
066    @TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE )
067    private String loginMessage;
068
069    @TurbineConfiguration( TurbineConstants.TEMPLATE_LOGIN )
070    private String templateLogin;
071
072
073    /**
074     * doPerform is virtually identical to DefaultSessionValidator
075     * except that it calls template methods instead of bare screen
076     * methods. For example, it uses <code>setScreenTemplate</code> to
077     * load the tr.props TEMPLATE_LOGIN instead of the default's
078     * setScreen to TurbineConstants.SCREEN_LOGIN.
079     *
080     * @see DefaultSessionValidator
081     * @param pipelineData Turbine information.
082     * @throws Exception The anonymous user could not be obtained
083     *         from the security service
084     */
085    @Override
086    public void doPerform(PipelineData pipelineData)
087    throws Exception
088    {
089        RunData data = getRunData(pipelineData);
090        // Pull user from session.
091        data.populate();
092
093        // The user may have not logged in, so create a "guest/anonymous" user.
094        if (data.getUser() == null)
095        {
096            log.debug("Fixing up empty User Object!");
097            User anonymousUser = security.getAnonymousUser();
098            data.setUser(anonymousUser);
099            data.save();
100        }
101
102        // This is the secure session validator, so user must be logged in.
103        if (!data.getUser().hasLoggedIn())
104        {
105            log.debug("User is not logged in!");
106
107            // only set the message if nothing else has already set it
108            // (e.g. the LogoutUser action).
109            if (StringUtils.isEmpty(data.getMessage()))
110            {
111                data.setMessage(loginMessage);
112            }
113
114            // Set the screen template to the login page.
115            log.debug("Sending User to the Login Screen ("
116                    + templateLogin + ")");
117            data.getTemplateInfo().setScreenTemplate(templateLogin);
118
119            // We're not doing any actions buddy! (except action.login which
120            // will have been performed already)
121            data.setAction(null);
122        }
123
124        log.debug("Login Check finished!");
125
126        // Make sure we have some way to return a response.
127        if (!data.hasScreen() && StringUtils.isEmpty(
128                data.getTemplateInfo().getScreenTemplate()))
129        {
130            if (StringUtils.isNotEmpty(templateHomepage))
131            {
132                data.getTemplateInfo().setScreenTemplate(templateHomepage);
133            }
134            else
135            {
136                data.setScreen(screenHomepage);
137            }
138        } else {
139            handleFormCounterToken(data, false);
140        }
141
142        // We do not want to allow both a screen and template parameter.
143        // The template parameter is dominant.
144        if (data.getTemplateInfo().getScreenTemplate() != null)
145        {
146            data.setScreen(null);
147        }
148
149        // Comply with Turbine 4.0 standards
150        pipelineData.get(Turbine.class).put(User.class, data.getUser());
151    }
152}