Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
SessionValidator |
|
| 7.0;7 |
1 | package org.apache.turbine.modules.actions.sessionvalidator; | |
2 | ||
3 | import org.apache.turbine.TurbineConstants; | |
4 | import org.apache.turbine.annotation.TurbineConfiguration; | |
5 | import org.apache.turbine.annotation.TurbineService; | |
6 | ||
7 | /* | |
8 | * Licensed to the Apache Software Foundation (ASF) under one | |
9 | * or more contributor license agreements. See the NOTICE file | |
10 | * distributed with this work for additional information | |
11 | * regarding copyright ownership. The ASF licenses this file | |
12 | * to you under the Apache License, Version 2.0 (the | |
13 | * "License"); you may not use this file except in compliance | |
14 | * with the License. You may obtain a copy of the License at | |
15 | * | |
16 | * http://www.apache.org/licenses/LICENSE-2.0 | |
17 | * | |
18 | * Unless required by applicable law or agreed to in writing, | |
19 | * software distributed under the License is distributed on an | |
20 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
21 | * KIND, either express or implied. See the License for the | |
22 | * specific language governing permissions and limitations | |
23 | * under the License. | |
24 | */ | |
25 | ||
26 | import org.apache.turbine.modules.Action; | |
27 | import org.apache.turbine.services.security.SecurityService; | |
28 | import org.apache.turbine.util.RunData; | |
29 | ||
30 | /** | |
31 | * The SessionValidator attempts to retrieve the User object from the | |
32 | * Servlet API session that is associated with the request. If the | |
33 | * data cannot be retrieved, it is handled here. If the user has not | |
34 | * been marked as being logged into the system, the user is rejected | |
35 | * and the screen is set to the screen.homepage value in | |
36 | * TurbineResources.properties. | |
37 | * | |
38 | * <p> | |
39 | * Other systems generally have a database table which stores this | |
40 | * information, but we take advantage of the Servlet API here to save | |
41 | * a hit to the database for each and every connection that a user | |
42 | * makes. | |
43 | * </p> | |
44 | * | |
45 | * <p> | |
46 | * This action is special in that it should only be executed by the | |
47 | * Turbine servlet. | |
48 | * </p> | |
49 | * | |
50 | * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> | |
51 | * @version $Id: SessionValidator.java 1854786 2019-03-04 18:29:18Z tv $ | |
52 | */ | |
53 | 9 | public abstract class SessionValidator implements Action |
54 | { | |
55 | ||
56 | @TurbineService | |
57 | protected SecurityService security; | |
58 | ||
59 | @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE ) | |
60 | protected String templateHomepage; | |
61 | ||
62 | @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE ) | |
63 | protected String screenHomepage; | |
64 | ||
65 | @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE ) | |
66 | protected String templateInvalidState; | |
67 | ||
68 | @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE ) | |
69 | protected String screenInvalidState; | |
70 | ||
71 | // the session_access_counter can be placed as a hidden field in | |
72 | // forms. This can be used to prevent a user from using the | |
73 | // browsers back button and submitting stale data. | |
74 | /** | |
75 | * | |
76 | * @param data RunData object | |
77 | * @param screenOnly {@link DefaultSessionValidator} | |
78 | */ | |
79 | protected void handleFormCounterToken( RunData data, boolean screenOnly ) | |
80 | { | |
81 | 0 | if (data.getParameters().containsKey("_session_access_counter")) |
82 | { | |
83 | 0 | if (screenOnly) { |
84 | // See comments in screens.error.InvalidState. | |
85 | 0 | if (data.getParameters().getInt("_session_access_counter") |
86 | 0 | < (((Integer) data.getUser().getTemp( |
87 | 0 | "_session_access_counter")).intValue() - 1)) |
88 | { | |
89 | 0 | data.getUser().setTemp("prev_screen", data.getScreen()); |
90 | 0 | data.getUser().setTemp("prev_parameters", data.getParameters()); |
91 | 0 | data.setScreen(screenInvalidState); |
92 | 0 | data.setAction(""); |
93 | } | |
94 | } else { | |
95 | 0 | if (!security.isAnonymousUser(data.getUser())) |
96 | { | |
97 | // See comments in screens.error.InvalidState. | |
98 | 0 | if (data.getParameters().getInt("_session_access_counter") |
99 | 0 | < (((Integer) data.getUser().getTemp( |
100 | 0 | "_session_access_counter")).intValue() - 1)) |
101 | { | |
102 | 0 | if (data.getTemplateInfo().getScreenTemplate() != null) |
103 | { | |
104 | 0 | data.getUser().setTemp("prev_template", |
105 | 0 | data.getTemplateInfo().getScreenTemplate() |
106 | 0 | .replace('/', ',')); |
107 | 0 | data.getTemplateInfo().setScreenTemplate(templateInvalidState); |
108 | } | |
109 | else | |
110 | { | |
111 | 0 | data.getUser().setTemp("prev_screen", |
112 | 0 | data.getScreen().replace('/', ',')); |
113 | 0 | data.setScreen(screenInvalidState); |
114 | } | |
115 | 0 | data.getUser().setTemp("prev_parameters", data.getParameters()); |
116 | 0 | data.setAction(""); |
117 | } | |
118 | } | |
119 | } | |
120 | } | |
121 | ||
122 | 0 | } |
123 | // empty | |
124 | } |