Coverage report

  %line %branch
org.apache.turbine.modules.actions.sessionvalidator.TemplateSecureSessionValidator
0% 
0% 

 1  
 package org.apache.turbine.modules.actions.sessionvalidator;
 2  
 
 3  
 /*
 4  
  * Copyright 2001-2005 The Apache Software Foundation.
 5  
  *
 6  
  * Licensed under the Apache License, Version 2.0 (the "License")
 7  
  * you may not use this file except in compliance with the License.
 8  
  * You may obtain a copy of the License at
 9  
  *
 10  
  *     http://www.apache.org/licenses/LICENSE-2.0
 11  
  *
 12  
  * Unless required by applicable law or agreed to in writing, software
 13  
  * distributed under the License is distributed on an "AS IS" BASIS,
 14  
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 15  
  * See the License for the specific language governing permissions and
 16  
  * limitations under the License.
 17  
  */
 18  
 
 19  
 import org.apache.commons.configuration.Configuration;
 20  
 
 21  
 import org.apache.commons.lang.StringUtils;
 22  
 
 23  
 import org.apache.commons.logging.Log;
 24  
 import org.apache.commons.logging.LogFactory;
 25  
 
 26  
 import org.apache.turbine.Turbine;
 27  
 import org.apache.turbine.TurbineConstants;
 28  
 
 29  
 import org.apache.turbine.services.security.TurbineSecurity;
 30  
 
 31  
 import org.apache.turbine.util.RunData;
 32  
 import org.apache.turbine.util.TurbineException;
 33  
 
 34  
 /**
 35  
  * SessionValidator that requires login for use with Template Services
 36  
  * like Velocity or WebMacro.
 37  
  *
 38  
  * <br>
 39  
  *
 40  
  * Templating services requires a different Session Validator
 41  
  * because of the way it handles screens.  If you use the WebMacro or
 42  
  * Velocity Service with the DefaultSessionValidator, users will be able to
 43  
  * bypass login by directly addressing the template using
 44  
  * template/index.wm.  This is because the Page class looks for the
 45  
  * keyword "template" in the Path information and if it finds it will
 46  
  * reset the screen using it's lookup mechanism and thereby bypass
 47  
  * Login.
 48  
  *
 49  
  * Note that you will need to set the template.login property to the
 50  
  * login template.
 51  
  *
 52  
  * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
 53  
  * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
 54  
  * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
 55  
  * @version $Id: TemplateSecureSessionValidator.java 264148 2005-08-29 14:21:04Z henning $
 56  
  */
 57  0
 public class TemplateSecureSessionValidator
 58  
     extends SessionValidator
 59  
 {
 60  
     /** Logging */
 61  0
     private static Log log = LogFactory.getLog(
 62  0
             TemplateSecureSessionValidator.class);
 63  
 
 64  
     /**
 65  
      * doPerform is virtually identical to DefaultSessionValidator
 66  
      * except that it calls template methods instead of bare screen
 67  
      * methods. For example, it uses <code>setScreenTemplate</code> to
 68  
      * load the tr.props TEMPLATE_LOGIN instead of the default's
 69  
      * setScreen to TurbineConstants.SCREEN_LOGIN.
 70  
      *
 71  
      * @see DefaultSessionValidator
 72  
      * @param data Turbine information.
 73  
      * @throws TurbineException The anonymous user could not be obtained
 74  
      *         from the security service
 75  
      */
 76  
     public void doPerform(RunData data)
 77  
             throws TurbineException
 78  
     {
 79  0
         Configuration conf = Turbine.getConfiguration();
 80  
 
 81  
         // Pull user from session.
 82  0
         data.populate();
 83  
 
 84  
         // The user may have not logged in, so create a "guest/anonymous" user.
 85  0
         if (data.getUser() == null)
 86  
         {
 87  0
             log.debug("Fixing up empty User Object!");
 88  0
             data.setUser(TurbineSecurity.getAnonymousUser());
 89  0
             data.save();
 90  
         }
 91  
 
 92  
         // This is the secure sessionvalidator, so user must be logged in.
 93  0
         if (!data.getUser().hasLoggedIn())
 94  
         {
 95  0
             log.debug("User is not logged in!");
 96  
 
 97  
             // only set the message if nothing else has already set it
 98  
             // (e.g. the LogoutUser action).
 99  0
             if (StringUtils.isEmpty(data.getMessage()))
 100  
             {
 101  0
                 data.setMessage(conf.getString(TurbineConstants.LOGIN_MESSAGE));
 102  
             }
 103  
 
 104  
             // Set the screen template to the login page.
 105  0
             String loginTemplate =
 106  
                 conf.getString(TurbineConstants.TEMPLATE_LOGIN);
 107  
 
 108  0
             log.debug("Sending User to the Login Screen ("
 109  
                     + loginTemplate + ")");
 110  0
             data.getTemplateInfo().setScreenTemplate(loginTemplate);
 111  
 
 112  
             // We're not doing any actions buddy! (except action.login which
 113  
             // will have been performed already)
 114  0
             data.setAction(null);
 115  
         }
 116  
 
 117  0
         log.debug("Login Check finished!");
 118  
 
 119  
         // Make sure we have some way to return a response.
 120  0
         if (!data.hasScreen() && StringUtils.isEmpty(
 121  
                 data.getTemplateInfo().getScreenTemplate()))
 122  
         {
 123  0
             String template = conf.getString(
 124  
                     TurbineConstants.TEMPLATE_HOMEPAGE);
 125  
 
 126  0
             if (StringUtils.isNotEmpty(template))
 127  
             {
 128  0
                 data.getTemplateInfo().setScreenTemplate(template);
 129  
             }
 130  
             else
 131  
             {
 132  0
                 data.setScreen(conf.getString(
 133  
                         TurbineConstants.SCREEN_HOMEPAGE));
 134  
             }
 135  
         }
 136  
 
 137  
         // The session_access_counter can be placed as a hidden field in
 138  
         // forms.  This can be used to prevent a user from using the
 139  
         // browsers back button and submitting stale data.
 140  
         // FIXME!! a template needs to be written to use this with templates.
 141  
 
 142  0
         if (data.getParameters().containsKey("_session_access_counter")
 143  
                 && !TurbineSecurity.isAnonymousUser(data.getUser()))
 144  
         {
 145  
             // See comments in screens.error.InvalidState.
 146  0
             if (data.getParameters().getInt("_session_access_counter")
 147  
                     < (((Integer) data.getUser().getTemp(
 148  
                     "_session_access_counter")).intValue() - 1))
 149  
             {
 150  0
                 if (data.getTemplateInfo().getScreenTemplate() != null)
 151  
                 {
 152  0
                     data.getUser().setTemp("prev_template",
 153  
                             data.getTemplateInfo().getScreenTemplate()
 154  
                             .replace('/', ','));
 155  0
                     data.getTemplateInfo().setScreenTemplate(conf.getString(
 156  
                             TurbineConstants.TEMPLATE_INVALID_STATE));
 157  
                 }
 158  
                 else
 159  
                 {
 160  0
                     data.getUser().setTemp("prev_screen",
 161  
                                            data.getScreen().replace('/', ','));
 162  0
                     data.setScreen(conf.getString(
 163  
                             TurbineConstants.SCREEN_INVALID_STATE));
 164  
                 }
 165  0
                 data.getUser().setTemp("prev_parameters", data.getParameters());
 166  0
                 data.setAction("");
 167  
             }
 168  
         }
 169  
 
 170  
         // We do not want to allow both a screen and template parameter.
 171  
         // The template parameter is dominant.
 172  0
         if (data.getTemplateInfo().getScreenTemplate() != null)
 173  
         {
 174  0
             data.setScreen(null);
 175  
         }
 176  0
     }
 177  
 }

This report is generated by jcoverage, Maven and Maven JCoverage Plugin.