File Source: httpcontroller.java
/*
P/P * Method: net.sourceforge.pebble.web.controller.HttpController__static_init
*
* Postconditions:
* init'ed(log)
*/
1 /*
2 * Copyright (c) 2003-2006, Simon Brown
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 *
8 * - Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * - Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * - Neither the name of Pebble nor the names of its contributors may
17 * be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32 package net.sourceforge.pebble.web.controller;
33
34 import net.sourceforge.pebble.Constants;
35 import net.sourceforge.pebble.domain.AbstractBlog;
36 import net.sourceforge.pebble.domain.Blog;
37 import net.sourceforge.pebble.util.SecurityUtils;
38 import net.sourceforge.pebble.util.Utilities;
39 import net.sourceforge.pebble.web.action.Action;
40 import net.sourceforge.pebble.web.action.ActionFactory;
41 import net.sourceforge.pebble.web.action.ActionNotFoundException;
42 import net.sourceforge.pebble.web.action.SecureAction;
43 import net.sourceforge.pebble.web.model.Model;
44 import net.sourceforge.pebble.web.security.RequireSecurityToken;
45 import net.sourceforge.pebble.web.security.SecurityTokenValidator;
46 import net.sourceforge.pebble.web.view.View;
47 import org.apache.commons.logging.Log;
48 import org.apache.commons.logging.LogFactory;
49
/*
P/P * Method: void net.sourceforge.pebble.web.controller.HttpController()
*
* Postconditions:
* this.actionExtension == &".action"
*/
50 import javax.servlet.ServletException;
51 import javax.servlet.http.*;
52 import java.io.IOException;
53 import java.security.SecureRandom;
54
55 /**
56 * An implementation of the front controller pattern, using the command
57 * and controller strategy.
58 *
59 * @author Simon Brown
60 */
61 public class HttpController extends HttpServlet {
62
63 /**
64 * the log used by this class
65 */
66 private static Log log = LogFactory.getLog(HttpController.class);
67
68 /**
69 * a reference to the factory used to create Action instances
70 */
71 private ActionFactory actionFactory;
72
73 /**
74 * the extension used to refer to actions
75 */
76 private String actionExtension = ".action";
77
78 /**
79 * The security token validator
80 */
81 private SecurityTokenValidator securityTokenValidator;
82
83 /**
84 * Initialises this instance.
85 */
86 public void init() {
/*
P/P * Method: void init()
*
* Preconditions:
* (soft) net/sourceforge/pebble/web/action/ActionFactory.log != null
*
* Presumptions:
* net.sourceforge.pebble.web.controller.HttpController:getServletConfig(...)@87 != null
* net.sourceforge.pebble.web.controller.HttpController:getServletConfig(...)@88 != null
*
* Postconditions:
* init'ed(this.actionExtension)
* this.actionFactory == &new ActionFactory(init#1)
* this.securityTokenValidator == &new SecurityTokenValidator(init#2)
* new ActionFactory(init#1) num objects == 1
* new HashMap(ActionFactory#1) num objects == 1
* new SecurityTokenValidator(init#2) num objects == 1
* init'ed(this.actionFactory.actionMappingFileName)
* this.actionFactory.actions == &new HashMap(ActionFactory#1)
*/
87 String actions = getServletConfig().getInitParameter("actions");
88 this.actionExtension = getServletConfig().getInitParameter("actionExtension");
89 this.actionFactory = new ActionFactory(actions);
90 this.securityTokenValidator = new SecurityTokenValidator();
91 }
92
93 /**
94 * Processes the request - this is delegated to from doGet and doPost.
95 *
96 * @param request the HttpServletRequest instance
97 * @param response the HttpServletResponse instance
98 */
99 protected void processRequest(HttpServletRequest request,
100 HttpServletResponse response)
101 throws ServletException, IOException {
102
103 AbstractBlog blog = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
104
105 // find which action should be used
106 String actionName = request.getRequestURI();
107 if (actionName.indexOf("?") > -1) {
108 // strip of the query string - some servers leave this on
109 actionName = actionName.substring(0, actionName.indexOf("?"));
110 }
111 int index = actionName.lastIndexOf("/");
112 actionName = actionName.substring(index + 1, (actionName.length() - actionExtension.length()));
113 Action action;
114
115 try {
116 log.debug("Action is " + actionName);
117 action = actionFactory.getAction(actionName);
118 } catch (ActionNotFoundException anfe) {
119 log.warn(anfe.getMessage());
120 response.sendError(HttpServletResponse.SC_NOT_FOUND);
121 return;
122 }
123
124 boolean authorised = isAuthorised(request, action);
125 if (!authorised) {
126 response.sendError(HttpServletResponse.SC_FORBIDDEN);
127 } else {
128 boolean validated = securityTokenValidator.validateSecurityToken(request, response, action);
129 if (!validated) {
130 // Forward to no security url
131 request.getRequestDispatcher("/noSecurityToken.action").forward(request, response);
132 } else {
133 try {
134 Model model = new Model();
135 model.put(Constants.BLOG_KEY, blog);
136 String calculatedBaseUrl = Utilities.calcBaseUrl(request.getScheme(), blog.getUrl());
137 model.put(Constants.BLOG_URL, blog.getUrl());
138 action.setModel(model);
139 View view = action.process(request, response);
140 if (view != null) {
141
142 view.setModel(model);
143 view.setServletContext(this.getServletContext());
144
145 view.prepare();
146
147 for (Object key : model.keySet()) {
148 request.setAttribute(key.toString(), model.get(key.toString()));
149 }
150
151 response.setContentType(view.getContentType());
152 view.dispatch(request, response, getServletContext());
153
154 }
155 } catch (Exception e) {
156 request.setAttribute("exception", e);
157 throw new ServletException(e);
158 }
159 }
160 }
161 }
162
/*
P/P * Method: bool isAuthorised(HttpServletRequest, Action)
*
* Preconditions:
* (soft) request != null
*
* Postconditions:
* init'ed(return_value)
*/
163 private boolean isAuthorised(HttpServletRequest request, Action action) {
164 if (action instanceof SecureAction) {
165 SecureAction secureAction = (SecureAction) action;
166 return isUserInRole(request, secureAction);
167 } else {
168 return true;
169 }
170 }
171
172 /**
173 * Determines whether the current user in one of the roles specified
174 * by the secure action.
175 *
176 * @param request the HttpServletRequest
177 * @param action the SecureAction to check against
178 * @return true if the user is in one of the roles, false otherwise
179 */
/*
P/P * Method: bool isUserInRole(HttpServletRequest, SecureAction)
*
* Preconditions:
* action != null
* request != null
*
* Presumptions:
* Local_9[Local_7]@183 != null
* getRoles(...)@183 != null
* roles.length@183 <= 232-1
*
* Postconditions:
* init'ed(return_value)
*
* Test Vectors:
* java.lang.String:equals(...)@185: {0}, {1}
* net.sourceforge.pebble.domain.Blog:isUserInRole(...)@190: {0}, {1}
*/
180 private boolean isUserInRole(HttpServletRequest request, SecureAction action) {
181 AbstractBlog ab = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY);
182 String currentUser = SecurityUtils.getUsername();
183 String roles[] = action.getRoles(request);
184 for (String role : roles) {
185 if (role.equals(Constants.ANY_ROLE)) {
186 return true;
187 } else if (SecurityUtils.isUserInRole(role)) {
188 if (ab instanceof Blog) {
189 Blog blog = (Blog) ab;
190 if (blog.isUserInRole(role, currentUser)) {
191 return true;
192 }
193 } else {
194 return true;
195 }
196 }
197 }
198 return false;
199 }
200
201
202 /**
203 * A default implementation of doGet that delegates to the processRequest method.
204 *
205 * @param req the HttpServletRequest instance
206 * @param res the HttpServletResponse instance
207 */
/*
P/P * Method: void doGet(HttpServletRequest, HttpServletResponse)
*/
208 protected void doGet(HttpServletRequest req, HttpServletResponse res)
209 throws ServletException, IOException {
210 processRequest(req, res);
211 }
212
213 /**
214 * A default implementation of doPost that delegates to the processRequest method.
215 *
216 * @param req the HttpServletRequest instance
217 * @param res the HttpServletResponse instance
218 */
/*
P/P * Method: void doPost(HttpServletRequest, HttpServletResponse)
*/
219 protected void doPost(HttpServletRequest req, HttpServletResponse res)
220 throws ServletException, IOException {
221 processRequest(req, res);
222 }
223
224 }
SofCheck Inspector Build Version : 2.22510
| httpcontroller.java |
2010-Jun-25 19:40:32 |
| httpcontroller.class |
2010-Jul-19 20:23:38 |