1 package org.apache.turbine.modules.actions.sessionvalidator;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 import org.apache.commons.configuration.Configuration;
20
21 import org.apache.commons.lang.StringUtils;
22
23 import org.apache.commons.logging.Log;
24 import org.apache.commons.logging.LogFactory;
25
26 import org.apache.turbine.Turbine;
27 import org.apache.turbine.TurbineConstants;
28
29 import org.apache.turbine.services.security.TurbineSecurity;
30
31 import org.apache.turbine.util.RunData;
32 import org.apache.turbine.util.TurbineException;
33
34 /***
35 * SessionValidator that requires login for use with Template Services
36 * like Velocity or WebMacro.
37 *
38 * <br>
39 *
40 * Templating services requires a different Session Validator
41 * because of the way it handles screens. If you use the WebMacro or
42 * Velocity Service with the DefaultSessionValidator, users will be able to
43 * bypass login by directly addressing the template using
44 * template/index.wm. This is because the Page class looks for the
45 * keyword "template" in the Path information and if it finds it will
46 * reset the screen using it's lookup mechanism and thereby bypass
47 * Login.
48 *
49 * Note that you will need to set the template.login property to the
50 * login template.
51 *
52 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
53 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
54 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
55 * @version $Id: TemplateSecureSessionValidator.java 264148 2005-08-29 14:21:04Z henning $
56 */
57 public class TemplateSecureSessionValidator
58 extends SessionValidator
59 {
60 /*** Logging */
61 private static Log log = LogFactory.getLog(
62 TemplateSecureSessionValidator.class);
63
64 /***
65 * doPerform is virtually identical to DefaultSessionValidator
66 * except that it calls template methods instead of bare screen
67 * methods. For example, it uses <code>setScreenTemplate</code> to
68 * load the tr.props TEMPLATE_LOGIN instead of the default's
69 * setScreen to TurbineConstants.SCREEN_LOGIN.
70 *
71 * @see DefaultSessionValidator
72 * @param data Turbine information.
73 * @throws TurbineException The anonymous user could not be obtained
74 * from the security service
75 */
76 public void doPerform(RunData data)
77 throws TurbineException
78 {
79 Configuration conf = Turbine.getConfiguration();
80
81
82 data.populate();
83
84
85 if (data.getUser() == null)
86 {
87 log.debug("Fixing up empty User Object!");
88 data.setUser(TurbineSecurity.getAnonymousUser());
89 data.save();
90 }
91
92
93 if (!data.getUser().hasLoggedIn())
94 {
95 log.debug("User is not logged in!");
96
97
98
99 if (StringUtils.isEmpty(data.getMessage()))
100 {
101 data.setMessage(conf.getString(TurbineConstants.LOGIN_MESSAGE));
102 }
103
104
105 String loginTemplate =
106 conf.getString(TurbineConstants.TEMPLATE_LOGIN);
107
108 log.debug("Sending User to the Login Screen ("
109 + loginTemplate + ")");
110 data.getTemplateInfo().setScreenTemplate(loginTemplate);
111
112
113
114 data.setAction(null);
115 }
116
117 log.debug("Login Check finished!");
118
119
120 if (!data.hasScreen() && StringUtils.isEmpty(
121 data.getTemplateInfo().getScreenTemplate()))
122 {
123 String template = conf.getString(
124 TurbineConstants.TEMPLATE_HOMEPAGE);
125
126 if (StringUtils.isNotEmpty(template))
127 {
128 data.getTemplateInfo().setScreenTemplate(template);
129 }
130 else
131 {
132 data.setScreen(conf.getString(
133 TurbineConstants.SCREEN_HOMEPAGE));
134 }
135 }
136
137
138
139
140
141
142 if (data.getParameters().containsKey("_session_access_counter")
143 && !TurbineSecurity.isAnonymousUser(data.getUser()))
144 {
145
146 if (data.getParameters().getInt("_session_access_counter")
147 < (((Integer) data.getUser().getTemp(
148 "_session_access_counter")).intValue() - 1))
149 {
150 if (data.getTemplateInfo().getScreenTemplate() != null)
151 {
152 data.getUser().setTemp("prev_template",
153 data.getTemplateInfo().getScreenTemplate()
154 .replace('/', ','));
155 data.getTemplateInfo().setScreenTemplate(conf.getString(
156 TurbineConstants.TEMPLATE_INVALID_STATE));
157 }
158 else
159 {
160 data.getUser().setTemp("prev_screen",
161 data.getScreen().replace('/', ','));
162 data.setScreen(conf.getString(
163 TurbineConstants.SCREEN_INVALID_STATE));
164 }
165 data.getUser().setTemp("prev_parameters", data.getParameters());
166 data.setAction("");
167 }
168 }
169
170
171
172 if (data.getTemplateInfo().getScreenTemplate() != null)
173 {
174 data.setScreen(null);
175 }
176 }
177 }