Java tutorial
/* * Copyright 1999-2004 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.cocoon.acting; import org.apache.avalon.excalibur.datasource.DataSourceComponent; import org.apache.avalon.framework.configuration.Configuration; import org.apache.avalon.framework.parameters.Parameters; import org.apache.avalon.framework.thread.ThreadSafe; import org.apache.cocoon.Constants; import org.apache.cocoon.environment.ObjectModelHelper; import org.apache.cocoon.environment.Redirector; import org.apache.cocoon.environment.Request; import org.apache.cocoon.environment.Session; import org.apache.cocoon.environment.SourceResolver; import org.apache.commons.lang.BooleanUtils; import org.apache.commons.lang.StringUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.PreparedStatement; import java.util.Collections; import java.util.HashMap; import java.util.Map; /** * This action is used to authenticate user by comparing several request * fields (username, password) with the values in database. The description of * the process is given via external xml description file simiar to the one * used for all actions derived from AbstractDatabaseAction. * <pre> * <root> * <connection>personnel</connection> * <table name="users_table> * <select dbcol="username" request-param="username" * to-session="username"/> * <select dbcol="password" request-param="password" * nullable="yes"/> * <select dbcol="role" to-session="role" type="string"/> * <select dbcol="skin" to-session="skin" type="string"/> * </table> * </root> * </pre> * The values specified via "request-param" describe the name of HTTP request * parameter, "dbcol" indicates matching database column, "nullable" means * that request-param which is null or empty will not be included in the WHERE * clause. This way you can enable accounts with empty passwords, etc. * "to-session" attribute indicates under which name the value obtained from * database should be stored in the session. Of course new session is created * when authorization is successfull. The "type" attribute can be either * string, long or double and alters the type of object stored in session. * Additionally all parameters that are * propagated to the session are made available to the sitemap via {name} * expression. * * If there is no need to touch the session object, providing just one-time * verification, you can specify action parameter "create-session" to "no" or * "false". No values are then propagated to the sesion and session object is * not verified. * * @author <a href="mailto:Martin.Man@seznam.cz">Martin Man</a> * @version CVS $Id: DatabaseAuthenticatorAction.java 30932 2004-07-29 17:35:38Z vgritsenko $ */ public class DatabaseAuthenticatorAction extends AbstractDatabaseAction implements ThreadSafe { /** * Main invocation routine. */ public Map act(Redirector redirector, SourceResolver resolver, Map objectModel, String src, Parameters parameters) throws Exception { DataSourceComponent datasource = null; Connection conn = null; PreparedStatement st = null; ResultSet rs = null; // read global parameter settings boolean reloadable = Constants.DESCRIPTOR_RELOADABLE_DEFAULT; if (this.settings.containsKey("reloadable")) { reloadable = Boolean.valueOf((String) this.settings.get("reloadable")).booleanValue(); } // read local settings try { Configuration conf = this.getConfiguration( parameters.getParameter("descriptor", (String) this.settings.get("descriptor")), resolver, parameters.getParameterAsBoolean("reloadable", reloadable)); boolean cs = true; String create_session = parameters.getParameter("create-session", (String) this.settings.get("create-session")); if (create_session != null) { cs = BooleanUtils.toBoolean(create_session.trim()); } datasource = this.getDataSource(conf); conn = datasource.getConnection(); Request req = ObjectModelHelper.getRequest(objectModel); /* check request validity */ if (req == null) { getLogger().debug("DBAUTH: no request object"); return null; } st = this.getAuthQuery(conn, conf, req); if (st == null) { getLogger().debug("DBAUTH: have not got query"); req.setAttribute("message", "The authenticator is misconfigured"); return null; } rs = st.executeQuery(); if (rs.next()) { getLogger().debug("DBAUTH: authorized successfully"); Session session = null; if (cs) { session = req.getSession(false); if (session != null) session.invalidate(); session = req.getSession(true); if (session == null) return null; getLogger().debug("DBAUTH: session created"); } else { getLogger().debug("DBAUTH: leaving session untouched"); } HashMap actionMap = this.propagateParameters(conf, rs, session); if (!conn.getAutoCommit()) { conn.commit(); } return Collections.unmodifiableMap(actionMap); } if (!conn.getAutoCommit()) { conn.rollback(); } req.setAttribute("message", "The username or password were incorrect, please check your CAPS LOCK key and try again."); getLogger().debug("DBAUTH: no results for query"); } catch (Exception e) { if (conn != null) { try { if (!conn.getAutoCommit()) { conn.rollback(); } } catch (Exception se) { /* ignore */} } getLogger().debug("exception: ", e); return null; } finally { if (rs != null) rs.close(); if (st != null) st.close(); if (conn != null) { try { conn.close(); } catch (Exception e) { /* ignore */} } } return null; } private PreparedStatement getAuthQuery(Connection conn, Configuration conf, Request req) { StringBuffer queryBuffer = new StringBuffer("SELECT "); StringBuffer queryBufferEnd = new StringBuffer(""); Configuration table = conf.getChild("table"); Configuration[] columns = table.getChildren("select"); try { Object[] constraintValues = new Object[columns.length]; int constraints = 0; for (int i = 0; i < columns.length; i++) { String dbcol = columns[i].getAttribute("dbcol"); boolean nullable = false; if (i > 0) { queryBuffer.append(", "); } queryBuffer.append(dbcol); String requestParameter = columns[i].getAttribute("request-param", null); if (StringUtils.isNotBlank(requestParameter)) { String nullstr = columns[i].getAttribute("nullable", null); if (nullstr != null) { nullable = BooleanUtils.toBoolean(nullstr.trim()); } String constraintValue = req.getParameter(requestParameter); // if there is a request parameter name, // but not the value, we exit immediately do // that authorization fails authomatically if (StringUtils.isBlank(constraintValue) && !nullable) { getLogger().debug("DBAUTH: request-param " + requestParameter + " does not exist"); return null; } if (constraints > 0) { queryBufferEnd.append(" AND "); } queryBufferEnd.append(dbcol).append("= ?"); constraintValues[constraints++] = constraintValue; } } queryBuffer.append(" FROM "); queryBuffer.append(table.getAttribute("name")); if (StringUtils.isNotBlank(queryBufferEnd.toString())) { queryBuffer.append(" WHERE ").append(queryBufferEnd); } getLogger().debug("DBAUTH: query " + queryBuffer); PreparedStatement st = conn.prepareStatement(queryBuffer.toString()); for (int i = 0; i < constraints; i++) { getLogger() .debug("DBAUTH: parameter " + (i + 1) + " = [" + String.valueOf(constraintValues[i]) + "]"); st.setObject(i + 1, constraintValues[i]); } return st; } catch (Exception e) { getLogger().debug("DBAUTH: got exception: " + e); } return null; } private HashMap propagateParameters(Configuration conf, ResultSet rs, Session session) { Configuration table = conf.getChild("table"); Configuration[] select = table.getChildren("select"); String session_param, type; HashMap map = new HashMap(); try { for (int i = 0; i < select.length; i++) { try { session_param = select[i].getAttribute("to-session"); if (StringUtils.isNotBlank(session_param)) { Object o = null; String s = rs.getString(i + 1); /* propagate to session */ type = select[i].getAttribute("type", ""); if (StringUtils.isBlank(type) || "string".equals(type)) { o = s; } else if ("long".equals(type)) { Long l = Long.decode(s); o = l; } else if ("double".equals(type)) { Double d = Double.valueOf(s); o = d; } if (session != null) { session.setAttribute(session_param, o); getLogger().debug("DBAUTH: propagating param " + session_param + "=" + s); } map.put(session_param, o); } } catch (Exception e) { // Empty } } return map; } catch (Exception e) { getLogger().debug("exception: ", e); } return null; } }