/*
* Copyright (c) 2003-2011, Simon Brown
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* - Neither the name of Pebble nor the names of its contributors may
* be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
package net.sourceforge.pebble.web.controller;
import net.sourceforge.pebble.Constants;
import net.sourceforge.pebble.domain.AbstractBlog;
import net.sourceforge.pebble.domain.Blog;
import net.sourceforge.pebble.domain.MultiBlog;
import net.sourceforge.pebble.util.SecurityUtils;
import net.sourceforge.pebble.web.action.Action;
import net.sourceforge.pebble.web.action.ActionFactory;
import net.sourceforge.pebble.web.action.ActionNotFoundException;
import net.sourceforge.pebble.web.action.SecureAction;
import net.sourceforge.pebble.web.model.Model;
import net.sourceforge.pebble.web.security.SecurityTokenValidator;
import net.sourceforge.pebble.web.view.View;
import net.sourceforge.pebble.web.view.impl.MultiBlogNotSupportedView;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.inject.Inject;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.IOException;
/**
* An implementation of the front controller pattern, using the command
* and controller strategy.
*
* @author Simon Brown
*/
public class DefaultHttpController implements HttpController {
private static final Log log = LogFactory.getLog(DefaultHttpController.class);
/**
* a reference to the factory used to create Action instances
*/
private ActionFactory actionFactory;
/**
* the extension used to refer to actions
*/
private String actionExtension = ".action";
/**
* The security token validator
*/
@Inject
private SecurityTokenValidator securityTokenValidator;
/**
* Processes the request - this is delegated to from doGet and doPost.
*
* @param request the HttpServletRequest instance
* @param response the HttpServletResponse instance
* @throws ServletException if an error occured
* @throws IOException if an error occured writing/reading the response/request
*/
public void processRequest(HttpServletRequest request,
HttpServletResponse response,
ServletContext servletContext)
throws ServletException, IOException {
AbstractBlog blog = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
// find which action should be used
String actionName = request.getRequestURI();
if (actionName.indexOf("?") > -1) {
// strip of the query string - some servers leave this on
actionName = actionName.substring(0, actionName.indexOf("?"));
}
int index = actionName.lastIndexOf("/");
actionName = actionName.substring(index + 1, (actionName.length() - actionExtension.length()));
Action action;
try {
log.debug("Action is " + actionName);
action = actionFactory.getAction(actionName);
} catch (ActionNotFoundException anfe) {
log.warn(anfe.getMessage());
response.sendError(HttpServletResponse.SC_NOT_FOUND);
return;
}
boolean authorised = isAuthorised(request, action);
if (!authorised) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
boolean validated = securityTokenValidator.validateSecurityToken(request, response, action);
if (!validated) {
// Forward to no security url
request.getRequestDispatcher("/noSecurityToken.action").forward(request, response);
} else {
try {
Model model = new Model();
model.put(Constants.BLOG_KEY, blog);
model.put(Constants.BLOG_URL, blog.getUrl());
action.setModel(model);
View view;
try {
view = action.process(request, response);
} catch (ClassCastException cce) {
// PEBBLE-45 Actions intended for single blog mode should fail nicely. This is a simple method that will
// allow has to handle all actions with minimal effort
if (cce.getMessage().contains(MultiBlog.class.getName()) && cce.getMessage().contains(Blog.class.getName())) {
view = new MultiBlogNotSupportedView();
} else {
throw cce;
}
}
if (view != null) {
view.setModel(model);
view.setServletContext(servletContext);
view.prepare();
for (Object key : model.keySet()) {
request.setAttribute(key.toString(), model.get(key.toString()));
}
response.setContentType(view.getContentType());
view.dispatch(request, response, servletContext);
}
} catch (Exception e) {
request.setAttribute("exception", e);
throw new ServletException(e);
}
}
}
}
private boolean isAuthorised(HttpServletRequest request, Action action) {
if (action instanceof SecureAction) {
SecureAction secureAction = (SecureAction) action;
return isUserInRole(request, secureAction);
} else {
return true;
}
}
/**
* Determines whether the current user in one of the roles specified
* by the secure action.
*
* @param request the HttpServletRequest
* @param action the SecureAction to check against
* @return true if the user is in one of the roles, false otherwise
*/
private boolean isUserInRole(HttpServletRequest request, SecureAction action) {
AbstractBlog ab = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
String currentUser = SecurityUtils.getUsername();
String roles[] = action.getRoles(request);
for (String role : roles) {
if (role.equals(Constants.ANY_ROLE)) {
return true;
} else if (SecurityUtils.isUserInRole(role)) {
if (ab instanceof Blog) {
Blog blog = (Blog) ab;
if (blog.isUserInRole(role, currentUser)) {
return true;
}
} else {
return true;
}
}
}
return false;
}
public void setActionFactory(ActionFactory actionFactory) {
this.actionFactory = actionFactory;
}
public void setActionExtension(String actionExtension) {
this.actionExtension = actionExtension;
}
}