1 package org.apache.turbine.modules.actions.sessionvalidator;
2
3 /* ====================================================================
4 * The Apache Software License, Version 1.1
5 *
6 * Copyright (c) 2001 The Apache Software Foundation. All rights
7 * reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. The end-user documentation included with the redistribution,
22 * if any, must include the following acknowledgment:
23 * "This product includes software developed by the
24 * Apache Software Foundation (http://www.apache.org/)."
25 * Alternately, this acknowledgment may appear in the software itself,
26 * if and wherever such third-party acknowledgments normally appear.
27 *
28 * 4. The names "Apache" and "Apache Software Foundation" and
29 * "Apache Turbine" must not be used to endorse or promote products
30 * derived from this software without prior written permission. For
31 * written permission, please contact apache@apache.org.
32 *
33 * 5. Products derived from this software may not be called "Apache",
34 * "Apache Turbine", nor may "Apache" appear in their name, without
35 * prior written permission of the Apache Software Foundation.
36 *
37 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
38 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
39 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
40 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
43 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
44 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
46 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
47 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48 * SUCH DAMAGE.
49 * ====================================================================
50 *
51 * This software consists of voluntary contributions made by many
52 * individuals on behalf of the Apache Software Foundation. For more
53 * information on the Apache Software Foundation, please see
54 * <http://www.apache.org/>.
55 */
56
57 // Turbine Classes
58 import org.apache.turbine.TurbineConstants;
59 import org.apache.turbine.util.RunData;
60 import org.apache.turbine.services.resources.TurbineResources;
61
62 /***
63 * SessionValidator that requires login for use with the WebMacroSite
64 * Service.
65 *
66 * <br>
67 *
68 * The WebMacroSite Service requires a different Session Validator
69 * because of the way it handles screens. If you use the WebMacroSite
70 * Service with the DefaultSessionValidator, users will be able to
71 * bypass login by directly addressing the template using
72 * template/index.wm. This is because WebMacroSitePage looks for the
73 * keyword "template" in the Path information and if it finds it will
74 * reset the screen using it's lookup mechanism and thereby bypass
75 * Login.
76 *
77 * Note that you will need to set the template.login property to the
78 * login template.
79 *
80 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a>
81 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
82 * @version $Id: TemplateSecureSessionValidator.java,v 1.4 2002/03/29 15:57:04 dobbs Exp $
83 */
84 public class TemplateSecureSessionValidator extends SessionValidator
85 {
86 /***
87 * doPerform is virtually identical to DefaultSessionValidator
88 * except that it calls template methods instead of bare screen
89 * methods. For example, it uses <code>setScreenTemplate</code> to
90 * load the tr.props TEMPLATE_LOGIN instead of the default's
91 * setScreen to TurbineContants.SCREEN_LOGIN.
92 *
93 * @see DefaultSessionValidator * @param data Turbine information.
94 * @exception Exception, a generic exception.
95 */
96 public void doPerform( RunData data ) throws Exception
97 {
98 /*
99 * Pull user from session.
100 */
101 data.populate();
102
103 /*
104 * This is the secure sessionvalidator, so user must be logged in.
105 */
106 if ( (data.getUser() == null) || (! data.getUser().hasLoggedIn()) )
107 {
108 /*
109 * Only set the message if nothing else has already set it
110 * (e.g. the LogoutUser action).
111 */
112 if (data.getMessage() == null)
113 {
114 data.setMessage(TurbineResources.getString(
115 TurbineConstants.LOGIN_MESSAGE));
116 }
117
118 /*
119 * Set the screen template to the login page.
120 */
121 data.getTemplateInfo().setScreenTemplate(
122 TurbineResources.getString(TurbineConstants.TEMPLATE_LOGIN) );
123
124 /*
125 * We're not doing any actions buddy! (except action.login which
126 * will have been performed already)
127 */
128 data.setAction(null);
129 }
130
131 /*
132 * Make sure we have some way to return a response.
133 */
134 if ( !data.hasScreen() &&
135 data.getTemplateInfo().getScreenTemplate() == null )
136 {
137 String template = TurbineResources.getString(
138 TurbineConstants.TEMPLATE_HOMEPAGE);
139
140 if (template != null)
141 {
142 data.getTemplateInfo().setScreenTemplate(template);
143 }
144 else
145 {
146 data.setScreen(TurbineResources.getString(
147 TurbineConstants.SCREEN_HOMEPAGE));
148 }
149 }
150
151 /*
152 * The session_access_counter can be placed as a hidden field in
153 * forms. This can be used to prevent a user from using the
154 * browsers back button and submitting stale data.
155 * FIXME!! a template needs to be written to use this with templates.
156 */
157 else if ( data.getParameters().containsKey("_session_access_counter") )
158 {
159 /*
160 * See comments in screens.error.InvalidState.
161 */
162 if ( data.getParameters().getInt("_session_access_counter") <
163 (((Integer)data.getUser().getTemp("_session_access_counter"))
164 .intValue()-1) )
165 {
166 if (data.getTemplateInfo().getScreenTemplate() != null)
167 {
168 data.getUser().setTemp( "prev_template",
169 data.getTemplateInfo().getScreenTemplate() );
170 data.getTemplateInfo().setScreenTemplate(
171 TurbineResources.getString(
172 TurbineConstants.TEMPLATE_INVALID_STATE) );
173 }
174 else
175 {
176 data.getUser().setTemp( "prev_screen",
177 data.getScreen().replace('/', ',') );
178 data.setScreen( TurbineResources.getString(
179 TurbineConstants.SCREEN_INVALID_STATE) );
180 }
181 data.getUser()
182 .setTemp( "prev_parameters", data.getParameters() );
183 data.setAction( "" );
184 }
185 }
186
187 /*
188 * We do not want to allow both a screen and template parameter.
189 * The template parameter is dominant.
190 */
191 if ( data.getTemplateInfo().getScreenTemplate() != null )
192 {
193 data.setScreen(null);
194 }
195 }
196 }
This page was automatically generated by Maven