Source code

001/**
002 * Copyright 2005-2017 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.ksb.messaging.web;
017
018import org.apache.log4j.Logger;
019import org.apache.struts.action.ActionForm;
020import org.apache.struts.action.ActionMapping;
021import org.apache.struts.action.InvalidCancelException;
022import org.apache.struts.action.RequestProcessor;
023import org.kuali.rice.krad.UserSession;
024import org.kuali.rice.krad.service.KRADServiceLocatorWeb;
025import org.kuali.rice.krad.util.CsrfValidator;
026import org.kuali.rice.krad.util.GlobalVariables;
027import org.kuali.rice.krad.util.KRADUtils;
028
029import javax.servlet.ServletException;
030import javax.servlet.http.HttpServletRequest;
031import javax.servlet.http.HttpServletResponse;
032import java.io.IOException;
033
034/**
035 * A RequestProcessor implementation for Struts which handles determining whether or not access
036 * should be allowed to the requested KSB page.
037 *
038 * @author Kuali Rice Team (rice.collab@kuali.org)
039 */
040public class KSBStrutsRequestProcessor extends RequestProcessor {
041
042        private static Logger LOG = Logger.getLogger(KSBStrutsRequestProcessor.class);
043
044        private static final String CSRF_PARAMETER = "csrfToken";
045        private static final String CSRF_SESSION_TOKEN = "csrfSessionToken";
046
047        @Override
048        protected boolean processPreprocess(HttpServletRequest request,
049                                                                                HttpServletResponse response) {
050                final UserSession session = KRADUtils.getUserSessionFromRequest(request);
051
052                if (session == null) {
053                        throw new IllegalStateException("the user session has not been established");
054                }
055
056                GlobalVariables.setUserSession(session);
057                GlobalVariables.clear();
058                return super.processPreprocess(request, response);
059        }
060
061        @Override
062        protected boolean processValidate(HttpServletRequest request, HttpServletResponse response, ActionForm form, ActionMapping mapping) throws IOException, ServletException, InvalidCancelException {
063                // need to make sure that we don't check CSRF until after the form is populated so that Struts will parse the
064                // multipart parameters into the request if it's a multipart request
065                if (!KRADServiceLocatorWeb.getCsrfService().validateCsrfIfNecessary(request, response)) {
066                        try {
067                                return false;
068                        } finally {
069                                // Special handling for multipart request
070                                if (form.getMultipartRequestHandler() != null) {
071                                        if (log.isTraceEnabled()) {
072                                                log.trace("  Rolling back multipart request");
073                                        }
074
075                                        form.getMultipartRequestHandler().rollback();
076                                }
077                        }
078                }
079
080                return super.processValidate(request, response, form, mapping);
081        }
082
083}