001package org.apache.turbine.modules.actions; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.commons.logging.Log; 023import org.apache.commons.logging.LogFactory; 024import org.apache.fulcrum.security.acl.AccessControlList; 025import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList; 026import org.apache.fulcrum.security.util.FulcrumSecurityException; 027import org.apache.turbine.Turbine; 028import org.apache.turbine.TurbineConstants; 029import org.apache.turbine.annotation.TurbineService; 030import org.apache.turbine.modules.Action; 031import org.apache.turbine.om.security.User; 032import org.apache.turbine.pipeline.PipelineData; 033import org.apache.turbine.services.security.SecurityService; 034import org.apache.turbine.util.RunData; 035 036/** 037 * This action doPerforms an Access Control List and places it into 038 * the RunData object, so it is easily available to modules. The ACL 039 * is also placed into the session. Modules can null out the ACL to 040 * force it to be rebuilt based on more information. 041 * 042 * <p> 043 * 044 * Turbine uses a User-Role-Permission arrangement for access control. 045 * Users are assigned Roles. Roles are assigned Permissions. Turbine 046 * modules then check the Permission required for an action or 047 * information with the set of Permissions currently associated with 048 * the session (which are dependent on the user associated with the 049 * session.) 050 * 051 * <p> 052 * 053 * The criteria for assigning Roles/Permissions is application 054 * dependent, in some cases an application may change a User's Roles 055 * during the session. To achieve flexibility, the ACL takes an 056 * Object parameter, which the application can use to doPerform the 057 * ACL. 058 * 059 * <p> 060 * 061 * This action is special in that it should only be executed by the 062 * Turbine servlet. 063 * 064 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 065 * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a> 066 * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a> 067 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a> 068 * @version $Id: AccessController.java 1819127 2017-12-23 09:32:08Z gk $ 069 */ 070public class AccessController 071 extends Action 072{ 073 074 /** Logging */ 075 private static Log log = LogFactory.getLog(AccessController.class); 076 077 /** Injected service instance */ 078 @TurbineService 079 private SecurityService security; 080 081 /** 082 * If there is a user and the user is logged in, doPerform will 083 * set the RunData ACL. The list is first sought from the current 084 * session, otherwise it is loaded through 085 * <code>link {@link SecurityService#getACL(User)}</code> and added to the current 086 * session. 087 * 088 * @param pipelineData Turbine information. 089 * @throws FulcrumSecurityException problem with the security service. 090 */ 091 @Override 092 public void doPerform(PipelineData pipelineData) 093 throws FulcrumSecurityException 094 { 095 RunData data = getRunData(pipelineData); 096 User user = data.getUser(); 097 098 if (!security.isAnonymousUser(user) 099 && user.hasLoggedIn()) 100 { 101 log.debug("Fetching ACL for " + user.getName()); 102 AccessControlList acl = (AccessControlList) 103 data.getSession().getAttribute( 104 TurbineConstants.ACL_SESSION_KEY); 105 if (acl == null) 106 { 107 log.debug("No ACL found in Session, building fresh ACL"); 108 acl = security.getACL(user); 109 data.getSession().setAttribute( 110 TurbineConstants.ACL_SESSION_KEY, acl); 111 112 log.debug("ACL is " + acl); 113 } 114 data.setACL(acl); 115 } 116 117 // Comply with Turbine 4.0 standards 118 pipelineData.get(Turbine.class).put(TurbineAccessControlList.class, data.getACL()); 119 } 120}