001package org.apache.turbine.modules.actions;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 *   http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.commons.logging.Log;
023import org.apache.commons.logging.LogFactory;
024import org.apache.fulcrum.security.acl.AccessControlList;
025import org.apache.fulcrum.security.model.turbine.TurbineAccessControlList;
026import org.apache.fulcrum.security.util.FulcrumSecurityException;
027import org.apache.turbine.Turbine;
028import org.apache.turbine.TurbineConstants;
029import org.apache.turbine.annotation.TurbineService;
030import org.apache.turbine.modules.Action;
031import org.apache.turbine.om.security.User;
032import org.apache.turbine.pipeline.PipelineData;
033import org.apache.turbine.services.security.SecurityService;
034import org.apache.turbine.util.RunData;
035
036/**
037 * This action doPerforms an Access Control List and places it into
038 * the RunData object, so it is easily available to modules.  The ACL
039 * is also placed into the session.  Modules can null out the ACL to
040 * force it to be rebuilt based on more information.
041 *
042 * <p>
043 *
044 * Turbine uses a User-Role-Permission arrangement for access control.
045 * Users are assigned Roles.  Roles are assigned Permissions.  Turbine
046 * modules then check the Permission required for an action or
047 * information with the set of Permissions currently associated with
048 * the session (which are dependent on the user associated with the
049 * session.)
050 *
051 * <p>
052 *
053 * The criteria for assigning Roles/Permissions is application
054 * dependent, in some cases an application may change a User's Roles
055 * during the session.  To achieve flexibility, the ACL takes an
056 * Object parameter, which the application can use to doPerform the
057 * ACL.
058 *
059 * <p>
060 *
061 * This action is special in that it should only be executed by the
062 * Turbine servlet.
063 *
064 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
065 * @author <a href="mailto:bmclaugh@algx.net">Brett McLaughlin</a>
066 * @author <a href="quintonm@bellsouth.net">Quinton McCombs</a>
067 * @author <a href="mailto:peter@courcoux.biz">Peter Courcoux</a>
068 * @version $Id: AccessController.java 1819127 2017-12-23 09:32:08Z gk $
069 */
070public class AccessController
071        extends Action
072{
073
074    /** Logging */
075    private static Log log = LogFactory.getLog(AccessController.class);
076
077    /** Injected service instance */
078    @TurbineService
079    private SecurityService security;
080
081    /**
082     * If there is a user and the user is logged in, doPerform will
083     * set the RunData ACL.  The list is first sought from the current
084     * session, otherwise it is loaded through
085     * <code>link {@link SecurityService#getACL(User)}</code> and added to the current
086     * session.
087     *
088     * @param pipelineData Turbine information.
089     * @throws FulcrumSecurityException problem with the security service.
090     */
091    @Override
092    public void doPerform(PipelineData pipelineData)
093        throws FulcrumSecurityException
094    {
095        RunData data = getRunData(pipelineData);
096        User user = data.getUser();
097
098        if (!security.isAnonymousUser(user)
099            && user.hasLoggedIn())
100        {
101            log.debug("Fetching ACL for " + user.getName());
102            AccessControlList acl = (AccessControlList)
103                    data.getSession().getAttribute(
104                            TurbineConstants.ACL_SESSION_KEY);
105            if (acl == null)
106            {
107                log.debug("No ACL found in Session, building fresh ACL");
108                acl = security.getACL(user);
109                data.getSession().setAttribute(
110                        TurbineConstants.ACL_SESSION_KEY, acl);
111
112                log.debug("ACL is " + acl);
113            }
114            data.setACL(acl);
115        }
116
117        // Comply with Turbine 4.0 standards
118        pipelineData.get(Turbine.class).put(TurbineAccessControlList.class, data.getACL());
119    }
120}