View Javadoc
1 package org.apache.turbine.modules.actions.sessionvalidator; 2 3 /* ==================================================================== 4 * The Apache Software License, Version 1.1 5 * 6 * Copyright (c) 2001 The Apache Software Foundation. All rights 7 * reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. The end-user documentation included with the redistribution, 22 * if any, must include the following acknowledgment: 23 * "This product includes software developed by the 24 * Apache Software Foundation (http://www.apache.org/)." 25 * Alternately, this acknowledgment may appear in the software itself, 26 * if and wherever such third-party acknowledgments normally appear. 27 * 28 * 4. The names "Apache" and "Apache Software Foundation" and 29 * "Apache Turbine" must not be used to endorse or promote products 30 * derived from this software without prior written permission. For 31 * written permission, please contact apache@apache.org. 32 * 33 * 5. Products derived from this software may not be called "Apache", 34 * "Apache Turbine", nor may "Apache" appear in their name, without 35 * prior written permission of the Apache Software Foundation. 36 * 37 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED 38 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 39 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 40 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR 41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 43 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF 44 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 46 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 47 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 48 * SUCH DAMAGE. 49 * ==================================================================== 50 * 51 * This software consists of voluntary contributions made by many 52 * individuals on behalf of the Apache Software Foundation. For more 53 * information on the Apache Software Foundation, please see 54 * <http://www.apache.org/>;. 55 */ 56 57 // Turbine Classes 58 import org.apache.turbine.TurbineConstants; 59 import org.apache.turbine.util.RunData; 60 import org.apache.turbine.services.resources.TurbineResources; 61 62 /*** 63 * SessionValidator that requires login for use with the WebMacroSite 64 * Service. 65 * 66 * <br> 67 * 68 * The WebMacroSite Service requires a different Session Validator 69 * because of the way it handles screens. If you use the WebMacroSite 70 * Service with the DefaultSessionValidator, users will be able to 71 * bypass login by directly addressing the template using 72 * template/index.wm. This is because WebMacroSitePage looks for the 73 * keyword "template" in the Path information and if it finds it will 74 * reset the screen using it's lookup mechanism and thereby bypass 75 * Login. 76 * 77 * Note that you will need to set the template.login property to the 78 * login template. 79 * 80 * @author <a href="mailto:john.mcnally@clearink.com">John D. McNally</a> 81 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 82 * @version $Id: TemplateSecureSessionValidator.java,v 1.4 2002/03/29 15:57:04 dobbs Exp $ 83 */ 84 public class TemplateSecureSessionValidator extends SessionValidator 85 { 86 /*** 87 * doPerform is virtually identical to DefaultSessionValidator 88 * except that it calls template methods instead of bare screen 89 * methods. For example, it uses <code>setScreenTemplate</code> to 90 * load the tr.props TEMPLATE_LOGIN instead of the default's 91 * setScreen to TurbineContants.SCREEN_LOGIN. 92 * 93 * @see DefaultSessionValidator * @param data Turbine information. 94 * @exception Exception, a generic exception. 95 */ 96 public void doPerform( RunData data ) throws Exception 97 { 98 /* 99 * Pull user from session. 100 */ 101 data.populate(); 102 103 /* 104 * This is the secure sessionvalidator, so user must be logged in. 105 */ 106 if ( (data.getUser() == null) || (! data.getUser().hasLoggedIn()) ) 107 { 108 /* 109 * Only set the message if nothing else has already set it 110 * (e.g. the LogoutUser action). 111 */ 112 if (data.getMessage() == null) 113 { 114 data.setMessage(TurbineResources.getString( 115 TurbineConstants.LOGIN_MESSAGE)); 116 } 117 118 /* 119 * Set the screen template to the login page. 120 */ 121 data.getTemplateInfo().setScreenTemplate( 122 TurbineResources.getString(TurbineConstants.TEMPLATE_LOGIN) ); 123 124 /* 125 * We're not doing any actions buddy! (except action.login which 126 * will have been performed already) 127 */ 128 data.setAction(null); 129 } 130 131 /* 132 * Make sure we have some way to return a response. 133 */ 134 if ( !data.hasScreen() && 135 data.getTemplateInfo().getScreenTemplate() == null ) 136 { 137 String template = TurbineResources.getString( 138 TurbineConstants.TEMPLATE_HOMEPAGE); 139 140 if (template != null) 141 { 142 data.getTemplateInfo().setScreenTemplate(template); 143 } 144 else 145 { 146 data.setScreen(TurbineResources.getString( 147 TurbineConstants.SCREEN_HOMEPAGE)); 148 } 149 } 150 151 /* 152 * The session_access_counter can be placed as a hidden field in 153 * forms. This can be used to prevent a user from using the 154 * browsers back button and submitting stale data. 155 * FIXME!! a template needs to be written to use this with templates. 156 */ 157 else if ( data.getParameters().containsKey("_session_access_counter") ) 158 { 159 /* 160 * See comments in screens.error.InvalidState. 161 */ 162 if ( data.getParameters().getInt("_session_access_counter") < 163 (((Integer)data.getUser().getTemp("_session_access_counter")) 164 .intValue()-1) ) 165 { 166 if (data.getTemplateInfo().getScreenTemplate() != null) 167 { 168 data.getUser().setTemp( "prev_template", 169 data.getTemplateInfo().getScreenTemplate() ); 170 data.getTemplateInfo().setScreenTemplate( 171 TurbineResources.getString( 172 TurbineConstants.TEMPLATE_INVALID_STATE) ); 173 } 174 else 175 { 176 data.getUser().setTemp( "prev_screen", 177 data.getScreen().replace('/', ',') ); 178 data.setScreen( TurbineResources.getString( 179 TurbineConstants.SCREEN_INVALID_STATE) ); 180 } 181 data.getUser() 182 .setTemp( "prev_parameters", data.getParameters() ); 183 data.setAction( "" ); 184 } 185 } 186 187 /* 188 * We do not want to allow both a screen and template parameter. 189 * The template parameter is dominant. 190 */ 191 if ( data.getTemplateInfo().getScreenTemplate() != null ) 192 { 193 data.setScreen(null); 194 } 195 } 196 }

This page was automatically generated by Maven