Source code

001/**
002 * Copyright 2005-2016 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.ksb.messaging.web;
017
018import org.apache.log4j.Logger;
019import org.apache.struts.action.ActionForm;
020import org.apache.struts.action.ActionMapping;
021import org.apache.struts.action.InvalidCancelException;
022import org.apache.struts.action.RequestProcessor;
023import org.kuali.rice.krad.UserSession;
024import org.kuali.rice.krad.util.CsrfValidator;
025import org.kuali.rice.krad.util.GlobalVariables;
026import org.kuali.rice.krad.util.KRADUtils;
027
028import javax.servlet.ServletException;
029import javax.servlet.http.HttpServletRequest;
030import javax.servlet.http.HttpServletResponse;
031import java.io.IOException;
032
033/**
034 * A RequestProcessor implementation for Struts which handles determining whether or not access
035 * should be allowed to the requested KSB page.
036 *
037 * @author Kuali Rice Team (rice.collab@kuali.org)
038 */
039public class KSBStrutsRequestProcessor extends RequestProcessor {
040
041        private static Logger LOG = Logger.getLogger(KSBStrutsRequestProcessor.class);
042
043        private static final String CSRF_PARAMETER = "csrfToken";
044        private static final String CSRF_SESSION_TOKEN = "csrfSessionToken";
045
046        @Override
047        protected boolean processPreprocess(HttpServletRequest request,
048                        HttpServletResponse response) {
049                final UserSession session = KRADUtils.getUserSessionFromRequest(request);
050
051        if (session == null) {
052            throw new IllegalStateException("the user session has not been established");
053        }
054
055        GlobalVariables.setUserSession(session);
056        GlobalVariables.clear();
057                return super.processPreprocess(request, response);
058        }
059
060        @Override
061        protected boolean processValidate(HttpServletRequest request, HttpServletResponse response, ActionForm form, ActionMapping mapping) throws IOException, ServletException, InvalidCancelException {
062                // need to make sure that we don't check CSRF until after the form is populated so that Struts will parse the
063                // multipart parameters into the request if it's a multipart request
064                if (!CsrfValidator.validateCsrf(request, response)) {
065                        try {
066                                return false;
067                        } finally {
068                                // Special handling for multipart request
069                                if (form.getMultipartRequestHandler() != null) {
070                                        if (log.isTraceEnabled()) {
071                                                log.trace("  Rolling back multipart request");
072                                        }
073
074                                        form.getMultipartRequestHandler().rollback();
075                                }
076                        }
077                }
078
079                return super.processValidate(request, response, form, mapping);
080        }
081
082}