View Javadoc

1   package org.apache.turbine.modules.actions;
2   
3   /*
4    * Copyright 2001-2005 The Apache Software Foundation.
5    *
6    * Licensed under the Apache License, Version 2.0 (the "License")
7    * you may not use this file except in compliance with the License.
8    * You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  import org.apache.commons.logging.Log;
20  import org.apache.commons.logging.LogFactory;
21  
22  import org.apache.turbine.modules.Action;
23  import org.apache.turbine.services.security.TurbineSecurity;
24  import org.apache.turbine.util.RunData;
25  import org.apache.turbine.util.security.AccessControlList;
26  import org.apache.turbine.util.security.TurbineSecurityException;
27  
28  import org.apache.turbine.om.security.User;
29  
30  /***
31   * This action doPerforms an Access Control List and places it into
32   * the RunData object, so it is easily available to modules.  The ACL
33   * is also placed into the session.  Modules can null out the ACL to
34   * force it to be rebuilt based on more information.
35   *
36   * <p>
37   *
38   * Turbine uses a User-Role-Permission arrangement for access control.
39   * Users are assigned Roles.  Roles are assigned Permissions.  Turbine
40   * modules then check the Permission required for an action or
41   * information with the set of Permissions currently associated with
42   * the session (which are dependent on the user associated with the
43   * session.)
44   *
45   * <p>
46   *
47   * The criteria for assigning Roles/Permissions is application
48   * dependent, in some cases an application may change a User's Roles
49   * during the session.  To achieve flexibility, the ACL takes an
50   * Object parameter, which the application can use to doPerform the
51   * ACL.
52   *
53   * <p>
54   *
55   * This action is special in that it should only be executed by the
56   * Turbine servlet.
57   *
58   * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
59   * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a>
60   * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a>
61   * @version $Id: AccessController.java 264148 2005-08-29 14:21:04Z henning $
62   */
63  public class AccessController
64          extends Action
65  {
66  
67      /*** Logging */
68      private static Log log = LogFactory.getLog(AccessController.class);
69  
70      /***
71       * If there is a user and the user is logged in, doPerform will
72       * set the RunData ACL.  The list is first sought from the current
73       * session, otherwise it is loaded through
74       * <code>TurbineSecurity.getACL()</code> and added to the current
75       * session.
76       *
77       * @see org.apache.turbine.services.security.TurbineSecurity
78       * @param data Turbine information.
79       * @exception TurbineSecurityException problem with the security service.
80       */
81      public void doPerform(RunData data)
82              throws TurbineSecurityException
83      {
84          User user = data.getUser();
85  
86          if (!TurbineSecurity.isAnonymousUser(user)
87              && user.hasLoggedIn())
88          {
89              log.debug("Fetching ACL for " + user.getName());
90              AccessControlList acl = (AccessControlList)
91                      data.getSession().getAttribute(
92                              AccessControlList.SESSION_KEY);
93              if (acl == null)
94              {
95                  log.debug("No ACL found in Session, building fresh ACL");
96                  acl = TurbineSecurity.getACL(user);
97                  data.getSession().setAttribute(
98                          AccessControlList.SESSION_KEY, acl);
99  
100                 log.debug("ACL is " + acl);
101             }
102             data.setACL(acl);
103         }
104     }
105 }