Source Code of org.apache.struts.chain.AbstractAuthorizeAction

/*
 * Copyright 2003,2004 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.struts.chain;


import org.apache.commons.chain.Command;
import org.apache.commons.chain.Context;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.struts.action.ActionServlet;
import org.apache.struts.config.ActionConfig;
import org.apache.struts.util.MessageResources;


/**
 * <p>Determine whether the requested action is authorized for the current
 * user.  If not, abort chain processing and perferably, return an error
 * message of some kind.</p>
 *
 * @author Don Brown
 * @version $Rev: 54933 $ $Date: 2004-10-16 18:04:52 +0100 (Sat, 16 Oct 2004) $
 */

public abstract class AbstractAuthorizeAction implements Command {


    // ------------------------------------------------------ Instance Variables


    private String actionConfigKey = Constants.ACTION_CONFIG_KEY;
    private String actionServletKey = Constants.ACTION_SERVLET_KEY;

    private static final Log log =
        LogFactory.getLog(AbstractAuthorizeAction.class);


    // -------------------------------------------------------------- Properties


    /**
     * <p>Return the context attribute key under which the
     * <code>ActionConfig</code> for the currently selected application
     * action is stored.</p>
     */
    public String getActionConfigKey() {

        return (this.actionConfigKey);

    }


    /**
     * <p>Set the context attribute key under which the
     * <code>ActionConfig</code> for the currently selected application
     * action is stored.</p>
     *
     * @param actionConfigKey The new context attribute key
     */
    public void setActionConfigKey(String actionConfigKey) {

        this.actionConfigKey = actionConfigKey;

    }


    /**
     * <p>Return the context attribute key under which the
     * <code>ActionServlet</code> for the currently selected application
     * action is stored.</p>
     */
    public String getActionServletKey() {

        return (this.actionServletKey);

    }


    /**
     * <p>Set the context attribute key under which the
     * <code>ActionServlet</code> for the currently selected application
     * action is stored.</p>
     *
     * @param actionServletKey The new context attribute key
     */
    public void setActionServletKey(String actionServletKey) {

        this.actionServletKey = actionServletKey;

    }


    // ---------------------------------------------------------- Public Methods


    /**
     * <p>Determine whether the requested action is authorized for the current
     * user.  If not, abort chain processing and perferably, return an error
     * message of some kind.</p>
     *
     * @param context The <code>Context</code> for the current request
     *
     * @return <code>false</code> if the user is authorized for the selected
     * action, else <code>true</code> to abort processing.
     */
    public boolean execute(Context context) throws Exception {

        // Retrieve ActionConfig
        ActionConfig actionConfig = (ActionConfig)
            context.get(getActionConfigKey());

        // Is this action protected by role requirements?
        String roles[] = actionConfig.getRoleNames();
        if ((roles == null) || (roles.length < 1)) {
            return (false);
        }

        boolean throwEx = false;
        try {
            throwEx = !(isAuthorized(context, roles, actionConfig));
        }
        catch (Exception ex) {
            throwEx = true;
            log.error("Unable to complete authorization process", ex);
        }

        if (throwEx) {
            // Retrieve internal message resources
            ActionServlet servlet =
                (ActionServlet) context.get(actionServletKey);
            MessageResources resources = servlet.getInternal();

            // The current user is not authorized for this action
            throw new UnauthorizedActionException(
                resources.getMessage("notAuthorized",
                actionConfig.getPath()));
        } else {
            return (false);
        }

    }


    // ------------------------------------------------------- Protected Methods


    /**
     * <p>Determine if the action is authorized for the given roles.</p>
     *
     * @param context        The <code>Context</code> for the current request
     * @param roles          An array of valid roles for this request
     * @param actionConfig   The current action mapping
     *
     * @return <code>true</code> if the request is authorized, else
     * <code>false</code>
     * @exception Exception If the action cannot be tested for authorization
     */
    protected abstract boolean isAuthorized(Context context, String[] roles,
                                            ActionConfig actionConfig)
              throws Exception;

}