1 package org.apache.turbine.modules.actions.sessionvalidator; 2 3 /* 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 */ 21 22 import org.apache.commons.lang.StringUtils; 23 import org.apache.commons.logging.Log; 24 import org.apache.commons.logging.LogFactory; 25 import org.apache.turbine.Turbine; 26 import org.apache.turbine.TurbineConstants; 27 import org.apache.turbine.annotation.TurbineConfiguration; 28 import org.apache.turbine.annotation.TurbineService; 29 import org.apache.turbine.om.security.User; 30 import org.apache.turbine.pipeline.PipelineData; 31 import org.apache.turbine.services.security.SecurityService; 32 import org.apache.turbine.util.RunData; 33 34 /** 35 * SessionValidator that requires login for use with Template Services 36 * like Velocity or WebMacro. 37 * 38 * <br> 39 * 40 * Templating services requires a different Session Validator 41 * because of the way it handles screens. If you use the WebMacro or 42 * Velocity Service with the {@link DefaultSessionValidator}, users will be able to 43 * bypass login by directly addressing the template using 44 * template/index.wm. This is because the Page class looks for the 45 * keyword "template" in the Path information and if it finds it will 46 * reset the screen using it's lookup mechanism and thereby bypass 47 * Login. 48 * 49 * Note that you will need to set the template.login property to the 50 * login template. 51 * 52 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 53 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 54 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 55 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 56 * @version $Id: TemplateSecureSessionValidator.java 1812601 2017-10-19 06:40:28Z gk $ 57 */ 58 public class TemplateSecureSessionValidator 59 extends SessionValidator 60 { 61 /** Logging */ 62 private static Log log = LogFactory.getLog( 63 TemplateSecureSessionValidator.class); 64 65 66 @TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE ) 67 private String loginMessage; 68 69 @TurbineConfiguration( TurbineConstants.TEMPLATE_LOGIN ) 70 private String templateLogin; 71 72 73 /** 74 * doPerform is virtually identical to DefaultSessionValidator 75 * except that it calls template methods instead of bare screen 76 * methods. For example, it uses <code>setScreenTemplate</code> to 77 * load the tr.props TEMPLATE_LOGIN instead of the default's 78 * setScreen to TurbineConstants.SCREEN_LOGIN. 79 * 80 * @see DefaultSessionValidator 81 * @param pipelineData Turbine information. 82 * @throws Exception The anonymous user could not be obtained 83 * from the security service 84 */ 85 @Override 86 public void doPerform(PipelineData pipelineData) 87 throws Exception 88 { 89 RunData data = getRunData(pipelineData); 90 // Pull user from session. 91 data.populate(); 92 93 // The user may have not logged in, so create a "guest/anonymous" user. 94 if (data.getUser() == null) 95 { 96 log.debug("Fixing up empty User Object!"); 97 User anonymousUser = security.getAnonymousUser(); 98 data.setUser(anonymousUser); 99 data.save(); 100 } 101 102 // This is the secure session validator, so user must be logged in. 103 if (!data.getUser().hasLoggedIn()) 104 { 105 log.debug("User is not logged in!"); 106 107 // only set the message if nothing else has already set it 108 // (e.g. the LogoutUser action). 109 if (StringUtils.isEmpty(data.getMessage())) 110 { 111 data.setMessage(loginMessage); 112 } 113 114 // Set the screen template to the login page. 115 log.debug("Sending User to the Login Screen (" 116 + templateLogin + ")"); 117 data.getTemplateInfo().setScreenTemplate(templateLogin); 118 119 // We're not doing any actions buddy! (except action.login which 120 // will have been performed already) 121 data.setAction(null); 122 } 123 124 log.debug("Login Check finished!"); 125 126 // Make sure we have some way to return a response. 127 if (!data.hasScreen() && StringUtils.isEmpty( 128 data.getTemplateInfo().getScreenTemplate())) 129 { 130 if (StringUtils.isNotEmpty(templateHomepage)) 131 { 132 data.getTemplateInfo().setScreenTemplate(templateHomepage); 133 } 134 else 135 { 136 data.setScreen(screenHomepage); 137 } 138 } else { 139 handleFormCounterToken(data, false); 140 } 141 142 // We do not want to allow both a screen and template parameter. 143 // The template parameter is dominant. 144 if (data.getTemplateInfo().getScreenTemplate() != null) 145 { 146 data.setScreen(null); 147 } 148 149 // Comply with Turbine 4.0 standards 150 pipelineData.get(Turbine.class).put(User.class, data.getUser()); 151 } 152 }