NIHVIVO-736 begin the transition from LoginFormBean to LoginStatusBean.

2010-10-06 16:06:25 +00:00 · 2010-10-06 16:06:25 +00:00 · b07049a116
commit b07049a116
parent 9e1a84e174
7 changed files with 175 additions and 39 deletions
--- a/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java
+++ b/webapp/src/edu/cornell/mannlib/vedit/beans/LoginStatusBean.java
@ -0,0 +1,138 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vedit.beans;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * An immutable object that records the user's login info as a session
+ * attribute.
+ */
+public class LoginStatusBean {
+	private static final Log log = LogFactory.getLog(LoginStatusBean.class);
+
+	/**
+	 * Security level when the user has not logged in. Also used as a minimum
+	 * level when we want to include every user, logged in or not.
+	 */
+	public static final int ANYBODY = 0;
+
+	/** Security level when a user with no privileges is logged in. */
+	public static final int NON_EDITOR = 1;
+
+	/** Security level when an authorized editor is logged in. */
+	public static final int EDITOR = 4;
+
+	/** Security level when an authorized curator is logged in. */
+	public static final int CURATOR = 5;
+
+	/** Security level when a system administrator is logged in. */
+	public static final int DBA = 50;
+
+	/** A bean to return when the user has not logged in. */
+	private static final LoginStatusBean DUMMY_BEAN = new LoginStatusBean("",
+			"", ANYBODY);
+
+	/** The bean is attached to the session by this name. */
+	private static final String ATTRIBUTE_NAME = "loginStatus";
+
+	// ----------------------------------------------------------------------
+	// static methods
+	// ----------------------------------------------------------------------
+
+	/**
+	 * Attach this bean to the session.
+	 */
+	public static void setBean(HttpSession session, LoginStatusBean lsb) {
+		session.setAttribute(ATTRIBUTE_NAME, lsb);
+	}
+
+	/**
+	 * Get the bean from this request, or a dummy bean if the user is not logged
+	 * in.
+	 */
+	public static LoginStatusBean getBean(HttpServletRequest request) {
+		if (request == null) {
+			return DUMMY_BEAN;
+		}
+
+		HttpSession session = request.getSession(false);
+		if (session == null) {
+			return DUMMY_BEAN;
+		}
+
+		return getBean(session);
+	}
+
+	/**
+	 * Get the bean from this session, or a dummy bean if the user is not logged
+	 * in.
+	 */
+	public static LoginStatusBean getBean(HttpSession session) {
+		if (session == null) {
+			return DUMMY_BEAN;
+		}
+
+		Object o = session.getAttribute(ATTRIBUTE_NAME);
+		if (o == null) {
+			return DUMMY_BEAN;
+		}
+
+		if (!(o instanceof LoginStatusBean)) {
+			log.warn("Tried to get login status bean, but found an instance of "
+					+ o.getClass().getName() + ": " + o);
+			return DUMMY_BEAN;
+		}
+
+		return (LoginStatusBean) o;
+	}
+
+	// ----------------------------------------------------------------------
+	// the bean
+	// ----------------------------------------------------------------------
+
+	private final String userURI;
+	private final String username;
+	private final int securityLevel;
+
+	public LoginStatusBean(String userURI, String username, int securityLevel) {
+		this.userURI = userURI;
+		this.username = username;
+		this.securityLevel = securityLevel;
+	}
+
+	public String getUserURI() {
+		return userURI;
+	}
+
+	public String getUsername() {
+		return username;
+	}
+
+	public int getSecurityLevel() {
+		return securityLevel;
+	}
+
+	public boolean isLoggedIn() {
+		return securityLevel > ANYBODY;
+	}
+
+	public boolean isLoggedInAs(int level) {
+		return securityLevel == level;
+	}
+
+	public boolean isLoggedInAtLeast(int minimumLevel) {
+		return securityLevel >= minimumLevel;
+	}
+
+	@Override
+	public String toString() {
+		return "LoginStatusBean[userURI=" + userURI + ", username=" + username
+				+ ", securityLevel=" + securityLevel + "]";
+	}
+
+}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@ -25,6 +25,7 @@ import org.apache.commons.logging.LogFactory;
 import com.hp.hpl.jena.ontology.OntModel;

 import edu.cornell.mannlib.vedit.beans.LoginFormBean;
+import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.RoleBasedPolicy.AuthRole;
 import edu.cornell.mannlib.vitro.webapp.beans.User;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
@ -287,6 +288,7 @@ public class Authenticate extends FreemarkerHttpServlet {
 		HttpSession session = request.getSession();

 		// Put the login info into the session.
+		// TODO the LoginFormBean is being phased out.
 		LoginFormBean lfb = new LoginFormBean();
 		lfb.setUserURI(user.getURI());
 		lfb.setLoginStatus("authenticated");
@ -295,6 +297,11 @@ public class Authenticate extends FreemarkerHttpServlet {
 		lfb.setLoginRemoteAddr(request.getRemoteAddr());
 		lfb.setLoginName(user.getUsername());
 		session.setAttribute("loginHandler", lfb);
+		// TODO this should eventually replace the LoginFormBean.
+		LoginStatusBean lsb = new LoginStatusBean(user.getURI(),
+				user.getUsername(), parseUserSecurityLevel(user));
+		LoginStatusBean.setBean(session, lsb);
+		log.info("Adding status bean: " + lsb);

 		// Remove the login process info from the session.
 		session.removeAttribute(LoginProcessBean.SESSION_ATTRIBUTE);
@ -307,15 +314,10 @@ public class Authenticate extends FreemarkerHttpServlet {
 		getUserDao(request).updateUser(user);

 		// Set the timeout limit on the session - editors, etc, get more.
-		session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL); // seconds,
-																	// not
-																	// milliseconds
-		try {
-			if ((int) Integer.decode(lfb.getLoginRole()) > 1) {
-				session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
-			}
-		} catch (NumberFormatException e) {
-			// No problem - leave it at the default.
+		if (lsb.isLoggedInAtLeast(LoginStatusBean.EDITOR)) {
+			session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
+		} else {
+			session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL);
 		}

 		// Record the user in the user/Session map.
@ -437,10 +439,8 @@ public class Authenticate extends FreemarkerHttpServlet {
 		if (session == null) {
 			return State.NOWHERE;
 		}
-
-		LoginFormBean lfb = (LoginFormBean) session
-				.getAttribute("loginHandler");
-		if ((lfb != null) && (lfb.getLoginStatus().equals("authenticated"))) {
+		
+		if (LoginStatusBean.getBean(request).isLoggedIn()) {
 			return State.LOGGED_IN;
 		}

@ -456,19 +456,13 @@ public class Authenticate extends FreemarkerHttpServlet {
 			return null;
 		}

-		HttpSession session = request.getSession(false);
-		if (session == null) {
-			return null;
-		}
-
-		LoginFormBean lfb = (LoginFormBean) session
-				.getAttribute("loginHandler");
-		if (lfb == null) {
+		LoginStatusBean lsb = LoginStatusBean.getBean(request);
+		if (!lsb.isLoggedIn()) {
 			log.debug("getLoggedInUser: not logged in");
 			return null;
 		}

-		return userDao.getUserByUsername(lfb.getLoginName());
+		return userDao.getUserByUsername(lsb.getUsername());
 	}

 	/**
@ -520,6 +514,19 @@ public class Authenticate extends FreemarkerHttpServlet {
 		return LoginProcessBean.getBeanFromSession(request);
 	}

+	/**
+	 * Parse the role URI from User. Don't crash if it is not valid.
+	 */
+	private int parseUserSecurityLevel(User user) {
+		try {
+			return Integer.parseInt(user.getRoleURI());
+		} catch (NumberFormatException e) {
+			log.warn("Invalid RoleURI '" + user.getRoleURI() + "' for user '"
+					+ user.getURI() + "'");
+			return 1;
+		}
+	}
+
 	// ----------------------------------------------------------------------
 	// Public utility methods.
 	// ----------------------------------------------------------------------