Coverage Report - net.sourceforge.pebble.web.controller.DefaultHttpController
 
Classes in this File Line Coverage Branch Coverage Complexity
DefaultHttpController
0%
0/67
0%
0/26
5.6
 
 1  
 /*
 2  
  * Copyright (c) 2003-2011, Simon Brown
 3  
  * All rights reserved.
 4  
  *
 5  
  * Redistribution and use in source and binary forms, with or without
 6  
  * modification, are permitted provided that the following conditions are met:
 7  
  *
 8  
  *   - Redistributions of source code must retain the above copyright
 9  
  *     notice, this list of conditions and the following disclaimer.
 10  
  *
 11  
  *   - Redistributions in binary form must reproduce the above copyright
 12  
  *     notice, this list of conditions and the following disclaimer in
 13  
  *     the documentation and/or other materials provided with the
 14  
  *     distribution.
 15  
  *
 16  
  *   - Neither the name of Pebble nor the names of its contributors may
 17  
  *     be used to endorse or promote products derived from this software
 18  
  *     without specific prior written permission.
 19  
  *
 20  
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 21  
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 22  
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 23  
  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 24  
  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 25  
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 26  
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 27  
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 28  
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 29  
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 30  
  * POSSIBILITY OF SUCH DAMAGE.
 31  
  */
 32  
 package net.sourceforge.pebble.web.controller;
 33  
 
 34  
 import net.sourceforge.pebble.Constants;
 35  
 import net.sourceforge.pebble.domain.AbstractBlog;
 36  
 import net.sourceforge.pebble.domain.Blog;
 37  
 import net.sourceforge.pebble.domain.MultiBlog;
 38  
 import net.sourceforge.pebble.util.SecurityUtils;
 39  
 import net.sourceforge.pebble.web.action.Action;
 40  
 import net.sourceforge.pebble.web.action.ActionFactory;
 41  
 import net.sourceforge.pebble.web.action.ActionNotFoundException;
 42  
 import net.sourceforge.pebble.web.action.SecureAction;
 43  
 import net.sourceforge.pebble.web.model.Model;
 44  
 import net.sourceforge.pebble.web.security.SecurityTokenValidator;
 45  
 import net.sourceforge.pebble.web.view.View;
 46  
 import net.sourceforge.pebble.web.view.impl.MultiBlogNotSupportedView;
 47  
 import org.apache.commons.logging.Log;
 48  
 import org.apache.commons.logging.LogFactory;
 49  
 
 50  
 import javax.inject.Inject;
 51  
 import javax.servlet.ServletContext;
 52  
 import javax.servlet.ServletException;
 53  
 import javax.servlet.http.*;
 54  
 import java.io.IOException;
 55  
 
 56  
 /**
 57  
  * An implementation of the front controller pattern, using the command
 58  
  * and controller strategy.
 59  
  *
 60  
  * @author Simon Brown
 61  
  */
 62  0
 public class DefaultHttpController implements HttpController {
 63  
 
 64  0
   private static final Log log = LogFactory.getLog(DefaultHttpController.class);
 65  
 
 66  
   /**
 67  
    * a reference to the factory used to create Action instances
 68  
    */
 69  
   private ActionFactory actionFactory;
 70  
 
 71  
   /**
 72  
    * the extension used to refer to actions
 73  
    */
 74  0
   private String actionExtension = ".action";
 75  
 
 76  
   /**
 77  
    * The security token validator
 78  
    */
 79  
   @Inject
 80  
   private SecurityTokenValidator securityTokenValidator;
 81  
 
 82  
   /**
 83  
    * Processes the request - this is delegated to from doGet and doPost.
 84  
    *
 85  
    * @param request  the HttpServletRequest instance
 86  
    * @param response the HttpServletResponse instance
 87  
    * @throws ServletException if an error occured
 88  
    * @throws IOException if an error occured writing/reading the response/request
 89  
    */
 90  
   public void processRequest(HttpServletRequest request,
 91  
                                 HttpServletResponse response,
 92  
                                 ServletContext servletContext)
 93  
           throws ServletException, IOException {
 94  
 
 95  0
     AbstractBlog blog = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
 96  
 
 97  
     // find which action should be used
 98  0
     String actionName = request.getRequestURI();
 99  0
     if (actionName.indexOf("?") > -1) {
 100  
       // strip of the query string - some servers leave this on
 101  0
       actionName = actionName.substring(0, actionName.indexOf("?"));
 102  
     }
 103  0
     int index = actionName.lastIndexOf("/");
 104  0
     actionName = actionName.substring(index + 1, (actionName.length() - actionExtension.length()));
 105  
     Action action;
 106  
 
 107  
     try {
 108  0
       log.debug("Action is " + actionName);
 109  0
       action = actionFactory.getAction(actionName);
 110  0
     } catch (ActionNotFoundException anfe) {
 111  0
       log.warn(anfe.getMessage());
 112  0
       response.sendError(HttpServletResponse.SC_NOT_FOUND);
 113  0
       return;
 114  0
     }
 115  
 
 116  0
     boolean authorised = isAuthorised(request, action);
 117  0
     if (!authorised) {
 118  0
       response.sendError(HttpServletResponse.SC_FORBIDDEN);
 119  
     } else {
 120  0
       boolean validated = securityTokenValidator.validateSecurityToken(request, response, action);
 121  0
       if (!validated) {
 122  
         // Forward to no security url
 123  0
         request.getRequestDispatcher("/noSecurityToken.action").forward(request, response);
 124  
       } else {
 125  
         try {
 126  0
           Model model = new Model();
 127  0
           model.put(Constants.BLOG_KEY, blog);
 128  0
           model.put(Constants.BLOG_URL, blog.getUrl());
 129  0
           action.setModel(model);
 130  
           View view;
 131  
           try {
 132  0
             view = action.process(request, response);
 133  0
           } catch (ClassCastException cce) {
 134  
             // PEBBLE-45 Actions intended for single blog mode should fail nicely.  This is a simple method that will
 135  
             // allow has to handle all actions with minimal effort
 136  0
             if (cce.getMessage().contains(MultiBlog.class.getName()) && cce.getMessage().contains(Blog.class.getName())) {
 137  0
               view = new MultiBlogNotSupportedView();
 138  
             } else {
 139  0
               throw cce;
 140  
             }
 141  0
           }
 142  0
           if (view != null) {
 143  
 
 144  0
             view.setModel(model);
 145  0
             view.setServletContext(servletContext);
 146  
 
 147  0
             view.prepare();
 148  
 
 149  0
             for (Object key : model.keySet()) {
 150  0
               request.setAttribute(key.toString(), model.get(key.toString()));
 151  
             }
 152  
 
 153  0
             response.setContentType(view.getContentType());
 154  0
             view.dispatch(request, response, servletContext);
 155  
 
 156  
           }
 157  0
         } catch (Exception e) {
 158  0
           request.setAttribute("exception", e);
 159  0
           throw new ServletException(e);
 160  0
         }
 161  
       }
 162  
     }
 163  0
   }
 164  
 
 165  
   private boolean isAuthorised(HttpServletRequest request, Action action) {
 166  0
     if (action instanceof SecureAction) {
 167  0
       SecureAction secureAction = (SecureAction) action;
 168  0
       return isUserInRole(request, secureAction);
 169  
     } else {
 170  0
       return true;
 171  
     }
 172  
   }
 173  
 
 174  
   /**
 175  
    * Determines whether the current user in one of the roles specified
 176  
    * by the secure action.
 177  
    *
 178  
    * @param request the HttpServletRequest
 179  
    * @param action  the SecureAction to check against
 180  
    * @return true if the user is in one of the roles, false otherwise
 181  
    */
 182  
   private boolean isUserInRole(HttpServletRequest request, SecureAction action) {
 183  0
     AbstractBlog ab = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
 184  0
     String currentUser = SecurityUtils.getUsername();
 185  0
     String roles[] = action.getRoles(request);
 186  0
     for (String role : roles) {
 187  0
       if (role.equals(Constants.ANY_ROLE)) {
 188  0
         return true;
 189  0
       } else if (SecurityUtils.isUserInRole(role)) {
 190  0
         if (ab instanceof Blog) {
 191  0
           Blog blog = (Blog) ab;
 192  0
           if (blog.isUserInRole(role, currentUser)) {
 193  0
             return true;
 194  
           }
 195  0
         } else {
 196  0
           return true;
 197  
         }
 198  
       }
 199  
     }
 200  0
     return false;
 201  
   }
 202  
 
 203  
   public void setActionFactory(ActionFactory actionFactory) {
 204  0
     this.actionFactory = actionFactory;
 205  0
   }
 206  
 
 207  
   public void setActionExtension(String actionExtension) {
 208  0
     this.actionExtension = actionExtension;
 209  0
   }
 210  
 }