001    package org.apache.turbine.modules.actions.sessionvalidator;
002    
003    /*
004     * Licensed to the Apache Software Foundation (ASF) under one
005     * or more contributor license agreements.  See the NOTICE file
006     * distributed with this work for additional information
007     * regarding copyright ownership.  The ASF licenses this file
008     * to you under the Apache License, Version 2.0 (the
009     * "License"); you may not use this file except in compliance
010     * with the License.  You may obtain a copy of the License at
011     *
012     *   http://www.apache.org/licenses/LICENSE-2.0
013     *
014     * Unless required by applicable law or agreed to in writing,
015     * software distributed under the License is distributed on an
016     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017     * KIND, either express or implied.  See the License for the
018     * specific language governing permissions and limitations
019     * under the License.
020     */
021    
022    import org.apache.commons.configuration.Configuration;
023    
024    import org.apache.commons.lang.StringUtils;
025    
026    import org.apache.commons.logging.Log;
027    import org.apache.commons.logging.LogFactory;
028    
029    import org.apache.turbine.Turbine;
030    import org.apache.turbine.TurbineConstants;
031    
032    import org.apache.turbine.pipeline.PipelineData;
033    import org.apache.turbine.services.security.TurbineSecurity;
034    
035    import org.apache.turbine.util.RunData;
036    import org.apache.turbine.util.TurbineException;
037    
038    /**
039     * The SessionValidator attempts to retrieve the User object from the
040     * Servlet API session that is associated with the request.  If the
041     * data cannot be retrieved, it is handled here.  If the user has not
042     * been marked as being logged into the system, the user is rejected
043     * and the screen is set to the screen.homepage value in
044     * TurbineResources.properties.
045     *
046     * <p>
047     *
048     * Other systems generally have a database table which stores this
049     * information, but we take advantage of the Servlet API here to save
050     * a hit to the database for each and every connection that a user
051     * makes.
052     *
053     * <p>
054     *
055     * This action is special in that it should only be executed by the
056     * Turbine servlet.
057     *
058     * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
059     * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
060     * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
061     * @version $Id: DefaultSessionValidator.java 1066518 2011-02-02 16:30:53Z ludwig $
062     */
063    public class DefaultSessionValidator
064        extends SessionValidator
065    {
066        /** Logging */
067        private static Log log = LogFactory.getLog(DefaultSessionValidator.class);
068    
069        /**
070         * Execute the action.  The default is to populate the RunData
071         * object and, if the user is unknown, to force a login screen (as
072         * set in the tr.props).
073         *
074         * @deprecated Use PipelineData version instead.
075         * @see org.apache.turbine.modules.screens.error.InvalidState
076         * @param data Turbine RunData context information.
077         * @throws TurbineException The anonymous user could not be obtained
078         *         from the security service
079         */
080        @Deprecated
081        @Override
082        public void doPerform(RunData data)
083                throws TurbineException
084        {
085            Configuration conf = Turbine.getConfiguration();
086    
087            // Pull user from session.
088            data.populate();
089    
090            // The user may have not logged in, so create a "guest/anonymous" user.
091            if (data.getUser() == null)
092            {
093                log.debug("Fixing up empty User Object!");
094                data.setUser(TurbineSecurity.getAnonymousUser());
095                data.save();
096            }
097    
098            // Make sure the User has logged into the system.
099            if (!data.getUser().hasLoggedIn())
100            {
101                // only set the message if nothing else has already set it
102                // (e.g. the LogoutUser action).
103                if (StringUtils.isEmpty(data.getMessage()))
104                {
105                    data.setMessage(conf.getString(TurbineConstants.LOGIN_MESSAGE));
106                }
107    
108                // set the screen to be the login page
109                data.setScreen(conf.getString(TurbineConstants.SCREEN_LOGIN));
110    
111                // We're not doing any actions buddy! (except action.login which
112                // will have been performed already)
113                data.setAction(null);
114            }
115    
116            if (!data.hasScreen())
117            {
118                data.setMessage(conf.getString(
119                        TurbineConstants.LOGIN_MESSAGE_NOSCREEN));
120                data.setScreen(conf.getString(TurbineConstants.SCREEN_HOMEPAGE));
121            }
122    
123            if (data.getParameters().containsKey("_session_access_counter"))
124            {
125                // See comments in screens.error.InvalidState.
126                if (data.getParameters().getInt("_session_access_counter")
127                        < (((Integer) data.getUser().getTemp(
128                        "_session_access_counter")).intValue() - 1))
129                {
130                    data.getUser().setTemp("prev_screen", data.getScreen());
131                    data.getUser().setTemp("prev_parameters", data.getParameters());
132                    data.setScreen(conf.getString(
133                            TurbineConstants.SCREEN_INVALID_STATE));
134                    data.setAction("");
135                }
136            }
137        }
138    
139        /**
140         * Execute the action.  The default is to populate the RunData
141         * object and, if the user is unknown, to force a login screen (as
142         * set in the tr.props).
143         *
144         * @see org.apache.turbine.modules.screens.error.InvalidState
145         * @param pipelineData Turbine PipelineData context information.
146         * @throws TurbineException The anonymous user could not be obtained
147         *         from the security service
148         */
149        @Override
150        public void doPerform(PipelineData pipelineData)
151                throws TurbineException
152        {
153            RunData data = getRunData(pipelineData);
154            doPerform(data);
155        }
156    
157    }