/*
* Copyright 2002-2007 the original author or authors.
*
* Licensed under the Apache license, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.internna.iwebmvc.security;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.internna.iwebmvc.dao.SecurityDAO;
import org.internna.iwebmvc.model.User;
import org.internna.iwebmvc.model.security.GuestUser;
import org.internna.iwebmvc.spring.util.RequestContextUtils;
import org.internna.iwebmvc.spring.util.TransientFieldsInjector;
import org.springframework.beans.factory.annotation.Required;
import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.web.util.WebUtils;
/**
* Gets the active {@link org.internna.iwebmvc.model.User} from the session.
*
* @author Jose Noheda
* @since 1.0
*/
public final class SessionUserManager implements UserManager, Serializable {
private static final long serialVersionUID = -5713250363563319024L;
private static Log logger = LogFactory.getLog(SessionUserManager.class);
protected transient SecurityDAO securityDAO;
@Required public final void setSecurityDAO(SecurityDAO securityDAO) {
this.securityDAO = securityDAO;
}
/**
* Cleans session information so a new requests fetches new values.
*/
@Override public void refresh() {
refresh(RequestContextUtils.getActiveRequest());
}
/**
* Cleans session information so a new requests fetches new values.
*/
@Override public void refresh(final HttpServletRequest request) {
if (request != null) {
WebUtils.setSessionAttribute(request, SESSION_USER, null);
setAnonymousUser(request);
}
}
/**
* Get the {@link org.internna.iwebmvc.model.User} of the current request.
*
* @return the user of the active request.
*/
@Override public final User getActiveUser() {
return getUser(RequestContextUtils.getActiveRequest());
}
@Override
public final User getActiveUser(final HttpServletRequest request) {
return getUser(request == null ? RequestContextUtils.getActiveRequest() : request);
}
protected User getUser(HttpServletRequest request) {
User user = (User) WebUtils.getSessionAttribute(request, SESSION_USER);
if (user instanceof GuestUser) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if ((auth != null) && (auth.getPrincipal() instanceof UserDetails)) {
user = securityDAO.findUser(((UserDetails) auth.getPrincipal()).getUsername());
if (logger.isDebugEnabled()) logger.debug("Setting domain user [" + user.getName() + "] in session");
WebUtils.setSessionAttribute(request, SESSION_USER, user);
return user;
}
}
return user == null ? setAnonymousUser(request) : user;
}
private User setAnonymousUser(HttpServletRequest request) {
User user = new GuestUser();
if (request != null) WebUtils.setSessionAttribute(request, SESSION_USER, user);
return user;
}
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
in.defaultReadObject();
try {
TransientFieldsInjector.inject(this, "securityDAO");
} catch (Exception ex) {
logger.warn("SessionUserManager was not correctly deserialized. User management may fail unexpectedly!");
}
}
}