View Javadoc
1   package org.apache.turbine.pipeline;
2   
3   
4   /*
5    * Licensed to the Apache Software Foundation (ASF) under one
6    * or more contributor license agreements.  See the NOTICE file
7    * distributed with this work for additional information
8    * regarding copyright ownership.  The ASF licenses this file
9    * to you under the Apache License, Version 2.0 (the
10   * "License"); you may not use this file except in compliance
11   * with the License.  You may obtain a copy of the License at
12   *
13   *   http://www.apache.org/licenses/LICENSE-2.0
14   *
15   * Unless required by applicable law or agreed to in writing,
16   * software distributed under the License is distributed on an
17   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18   * KIND, either express or implied.  See the License for the
19   * specific language governing permissions and limitations
20   * under the License.
21   */
22  
23  
24  import java.io.IOException;
25  import java.util.ArrayList;
26  import java.util.Enumeration;
27  import java.util.List;
28  
29  import javax.servlet.http.HttpSession;
30  
31  import org.apache.turbine.TurbineConstants;
32  import org.apache.turbine.annotation.TurbineConfiguration;
33  import org.apache.turbine.annotation.TurbineLoader;
34  import org.apache.turbine.modules.Action;
35  import org.apache.turbine.modules.ActionLoader;
36  import org.apache.turbine.services.velocity.VelocityService;
37  import org.apache.turbine.util.RunData;
38  import org.apache.turbine.util.TurbineException;
39  import org.apache.turbine.util.template.TemplateInfo;
40  
41  /**
42   * Handles the Login and Logout actions in the request process
43   * cycle.
44   *
45   * @author <a href="mailto:jvanzyl@apache.org">Jason van Zyl</a>
46   * @author <a href="mailto:dlr@apache.org">Daniel Rall</a>
47   * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
48   * @version $Id: DefaultLoginValve.java 1773378 2016-12-09 13:19:59Z tv $
49   */
50  public class DefaultLoginValve
51      extends AbstractValve
52  {
53      /** Injected loader instance */
54      @TurbineLoader( Action.class )
55      private ActionLoader actionLoader;
56  
57      @TurbineConfiguration( TurbineConstants.ACTION_LOGIN_KEY )
58      private String actionLogin;
59  
60      @TurbineConfiguration( TurbineConstants.ACTION_LOGOUT_KEY )
61      private String actionLogout;
62  
63      /**
64       * @see org.apache.turbine.pipeline.Valve#invoke(PipelineData, ValveContext)
65       */
66      @Override
67      public void invoke(PipelineData pipelineData, ValveContext context)
68          throws IOException, TurbineException
69      {
70          try
71          {
72              process(pipelineData);
73          }
74          catch (Exception e)
75          {
76              throw new TurbineException(e);
77          }
78  
79          // Pass control to the next Valve in the Pipeline
80          context.invokeNext(pipelineData);
81      }
82  
83      /**
84       * Handles user sessions, parsing of the action from the query
85       * string, and access control.
86       *
87       * @param pipelineData The run-time data.
88       *
89       * @throws Exception if executing the action fails
90       */
91      protected void process(PipelineData pipelineData)
92          throws Exception
93      {
94          RunData data = getRunData(pipelineData);
95          // Special case for login and logout, this must happen before the
96          // session validator is executed in order either to allow a user to
97          // even login, or to ensure that the session validator gets to
98          // mandate its page selection policy for non-logged in users
99          // after the logout has taken place.
100         String actionName = data.getAction();
101         if (data.hasAction() &&
102             actionName.equalsIgnoreCase(actionLogin) ||
103             actionName.equalsIgnoreCase(actionLogout))
104         {
105             // If a User is logging in, we should refresh the
106             // session here.  Invalidating session and starting a
107             // new session would seem to be a good method, but I
108             // (JDM) could not get this to work well (it always
109             // required the user to login twice).  Maybe related
110             // to JServ?  If we do not clear out the session, it
111             // is possible a new User may accidently (if they
112             // login incorrectly) continue on with information
113             // associated with the previous User.  Currently the
114             // only keys stored in the session are "turbine.user"
115             // and "turbine.acl".
116             if (actionName.equalsIgnoreCase(actionLogin))
117             {
118                 @SuppressWarnings("unchecked")
119                 Enumeration<String> names = data.getSession().getAttributeNames();
120                 if (names != null)
121                 {
122                     // copy keys into a new list, so we can clear the session
123                     // and not get ConcurrentModificationException
124                     List<String> nameList = new ArrayList<String>();
125                     while (names.hasMoreElements())
126                     {
127                         nameList.add(names.nextElement());
128                     }
129 
130                     HttpSession session = data.getSession();
131                     for (String name : nameList)
132                     {
133                         try
134                         {
135                             session.removeAttribute(name);
136                         }
137                         catch (IllegalStateException invalidatedSession)
138                         {
139                             break;
140                         }
141                     }
142                 }
143             }
144 
145             actionLoader.exec(pipelineData, data.getAction());
146             cleanupTemplateContext(data);
147             data.setAction(null);
148         }
149     }
150 
151     /**
152      * cleans the Velocity Context if available.
153      *
154      * @param data A RunData Object
155      */
156     private void cleanupTemplateContext(RunData data)
157     {
158         // This is Velocity specific and shouldn't be done here.
159         // But this is a band aid until we get real listeners
160         // here.
161         TemplateInfo ti = data.getTemplateInfo();
162         if (ti != null)
163         {
164             ti.removeTemp(VelocityService.CONTEXT);
165         }
166     }
167 }