1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package org.kuali.rice.kew.notes.web;
17
18 import org.apache.log4j.Logger;
19 import org.kuali.rice.coreservice.framework.CoreFrameworkServiceLocator;
20 import org.kuali.rice.kew.api.WorkflowRuntimeException;
21 import org.kuali.rice.kew.doctype.SecuritySession;
22 import org.kuali.rice.kew.notes.Attachment;
23 import org.kuali.rice.kew.notes.service.NoteService;
24 import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
25 import org.kuali.rice.kew.service.KEWServiceLocator;
26 import org.kuali.rice.kew.api.KewApiConstants;
27 import org.kuali.rice.krad.UserSession;
28 import org.kuali.rice.krad.util.KRADConstants;
29
30 import javax.servlet.ServletException;
31 import javax.servlet.http.HttpServlet;
32 import javax.servlet.http.HttpServletRequest;
33 import javax.servlet.http.HttpServletResponse;
34 import java.io.BufferedInputStream;
35 import java.io.BufferedOutputStream;
36 import java.io.File;
37 import java.io.FileInputStream;
38 import java.io.IOException;
39 import java.io.OutputStream;
40
41
42
43
44
45
46
47
48
49 public class AttachmentServlet extends HttpServlet {
50
51 private static final long serialVersionUID = -1918858512573502697L;
52 public static final String ATTACHMENT_ID_KEY = "attachmentId";
53
54
55
56 private static final Logger LOG = Logger.getLogger(AttachmentServlet.class);
57
58 @Override
59 protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
60 String attachmentId = request.getParameter(ATTACHMENT_ID_KEY);
61 if (attachmentId == null) {
62 throw new ServletException("No 'attachmentId' was specified.");
63 }
64
65 boolean secureChecks = false;
66 String secureAttachmentsParam = null;
67 try {
68 secureAttachmentsParam = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsString(KewApiConstants.KEW_NAMESPACE, "All", KewApiConstants.SECURE_ATTACHMENTS_PARAM);
69 } catch (Exception e) {
70 LOG.info("Attempted to retrieve parameter value, but could not. Defaulting to unsecured attachment retrieval. " + e.getMessage());
71 }
72 if (secureAttachmentsParam != null && secureAttachmentsParam.equals("Y")) {
73 secureChecks = true;
74 }
75 try {
76 UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
77 if (userSession != null) {
78
79 NoteService noteService = KEWServiceLocator.getNoteService();
80 Attachment attachment = noteService.findAttachment(attachmentId);
81 File file = noteService.findAttachmentFile(attachment);
82
83 DocumentRouteHeaderValue routeHeader = KEWServiceLocator.getRouteHeaderService().getRouteHeader(noteService.getNoteByNoteId(attachment.getNoteId()).getDocumentId());
84
85 if(!secureChecks || routeHeader != null){
86 boolean authorized = KEWServiceLocator.getDocumentSecurityService().routeLogAuthorized(userSession.getPrincipalId(), routeHeader, new SecuritySession(userSession.getPrincipalId()));
87 boolean customAttributeAuthorized = false;
88 if(routeHeader.getCustomNoteAttribute() != null){
89 routeHeader.getCustomNoteAttribute().setUserSession(userSession);
90 customAttributeAuthorized = routeHeader.getCustomNoteAttribute().isAuthorizedToRetrieveAttachments();
91 }
92 if(!secureChecks || (authorized && customAttributeAuthorized)){
93 response.setContentLength((int)file.length());
94 response.setContentType(attachment.getMimeType());
95 response.setHeader("Content-disposition", "attachment; filename="+attachment.getFileName());
96 FileInputStream attachmentFile = new FileInputStream(file);
97 BufferedInputStream inputStream = new BufferedInputStream(attachmentFile);
98 OutputStream outputStream = new BufferedOutputStream(response.getOutputStream());
99
100 try {
101 int c;
102 while ((c = inputStream.read()) != -1) {
103 outputStream.write(c);
104 }
105 } finally {
106 inputStream.close();
107 }
108 outputStream.close();
109 } else {
110 LOG.error("Attempt to access attachmentId:"+ attachmentId + " from documentId:" + routeHeader.getDocumentId() + " from unauthorized user: " + userSession.getPrincipalId());
111 response.sendError(HttpServletResponse.SC_FORBIDDEN);
112 return;
113 }
114 } else {
115 LOG.error("Caught Null Pointer trying to determine routeHeader for requested attachmentId:" + attachmentId);
116 response.sendError(HttpServletResponse.SC_NOT_FOUND);
117 return;
118 }
119 } else {
120 LOG.error("Attempt to access attachmentId:" + attachmentId + " with invalid UserSession");
121 response.sendError(HttpServletResponse.SC_BAD_REQUEST);
122 return;
123 }
124 } catch (Exception e) {
125 LOG.error("Problem retrieving requested attachmentId:" + attachmentId, e);
126 throw new WorkflowRuntimeException(e);
127 }
128 }
129 @Override
130 protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
131 doPost(request, response);
132 }
133
134 }