/* ====================================================================== The Bodington System Software License, Version 1.0 Copyright (c) 2001 The University of Leeds. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The end-user documentation included with the redistribution, if any, must include the following acknowledgement: "This product includes software developed by the University of Leeds (http://www.bodington.org/)." Alternately, this acknowledgement may appear in the software itself, if and wherever such third-party acknowledgements normally appear. 4. The names "Bodington", "Nathan Bodington", "Bodington System", "Bodington Open Source Project", and "The University of Leeds" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact d.gardner@leeds.ac.uk. 5. The name "Bodington" may not appear in the name of products derived from this software without prior written permission of the University of Leeds. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, TITLE, THE IMPLIED WARRANTIES OF QUALITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE UNIVERSITY OF LEEDS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ========================================================= This software was originally created by the University of Leeds and may contain voluntary contributions from others. For more information on the Bodington Open Source Project, please see http://bodington.org/ ====================================================================== */ package org.bodington.servlet; import java.rmi.RemoteException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import org.bodington.server.BuildingServerException; import org.bodington.server.NavigationSession; /** * Abstract implementation of a session initializer. This class is intended * to assist in the implementation of concrete subclasses by capturing * commonality. * @author Alexis O'Connor */ public abstract class AbstractSessionInitializer implements SessionInitializer { private SessionInitializer next; /** * Pass the request to the next link in the chain. This method is used to * simply exit control from this object by calling the * {@link #handleRequest(Request)} method of the next link in the * chain. If there is no subsequent link, this method returns * null. * @param request the request object. * @return the result of the subsequent link's * {@link #handleRequest(Request)} method, or * null if this is the last link in the chain. * @see #handleRequest(Request) */ protected NavigationSession passToNextLink( Request request ) { return (next != null) ? next.handleRequest(request) : null; } public void setNextSessionInitializer( SessionInitializer initializer ) { next = initializer; } /** * Find a session associated with the request. If no session can be * found, this method returns null. If this method returns * null, then code elsewhere assumes that the instance should * pass the request to the next link in the chain. This implementation of * the method attempts to find the session by looking for an associated * cookie. * @param request the request to be examined. * @return a session associated with the request. * @see Cookie */ protected HttpSession findHttpSession( Request request ) { Cookie[] cookies = request.getCookies(); if ( cookies == null ) return null; for ( int i = 0; i < cookies.length; i++ ) { if ( Request.SESSION_ID_COOKIE_NAME.equals( cookies[i].getName() ) ) { HttpSession session = HttpSession.findSessionById( cookies[i].getValue() ); if ( session != null ) return session; } } return null; } /** * Setup the navigation session so authentication can be attempted. * This method is intended to be overridden by subclasses to perform * the work of setting up the credentials in the navigation session * specific to their enclosing class. * @param request the current request. * @param session the associated session instance. * @param navigation the navigation session to be authenticated. * @return true if authentication information was found * and was set in the session. * @see NavigationSession#setAuthenticationCredentials(Properties, String) */ protected abstract boolean initialize( Request request, HttpSession session, NavigationSession navigation ); /** * Post initialize the session. This method is guaranteed to only ever be * called on a session whose associated {@link NavigationSession} instance * has been successfully authenticated. The default implementation * sets the session timeout and clears out the session a little. * @param session the session object to be post initialized. * @param request the request which has been authenticated. * @see NavigationSession * @see NavigationSession#isAuthenticated() */ protected void postInitialize( HttpSession session, Request request ) { NavigationSession navigation = session.getServerNavigationSession(); // Get time-out interval from servlet container session and assume that // this in turn came from web.xml -> session-timeout. int time = ((HttpServletRequest) request.getRequest()).getSession() .getMaxInactiveInterval(); session.setMaxInactiveInterval(time); try { if (navigation.getAuthenticatedUser().isValid()) { session.setUserId( navigation.getAuthenticatedUserId() ); // clear the user style sheet to force recompilation session.removeAttribute( "org.bodington.user_style_sheet" ); // clear the auto style sheets to force recompilation session.removeAttribute( "org.bodington.user_style_sheet_auto_table" ); } else { // TODO Should set some message about account being invalid navigation.clearAuthenticationCredentials(); } } catch ( BuildingServerException e ) { } } public NavigationSession handleRequest( Request request ) { HttpSession session = findHttpSession( request ); if (session == null) return passToNextLink( request ); // Bind the session to the request. request.setAttribute( Request.SESSION_ATTRIBUTE_NAME, session ); NavigationSession navigation = session.getServerNavigationSession(); try { if (initialize(request, session, navigation ) && navigation.isAuthenticated()) { postInitialize( session, request ); return navigation; } } catch ( BuildingServerException e ) { } return passToNextLink( request ); // default behaviour. } }