Coverage Report

Coverage Report - org.kuali.rice.kew.notes.web.AttachmentServlet

Classes in this File

0/52

0/18

 /*
  * Copyright 2006-2011 The Kuali Foundation
  *
  * Licensed under the Educational Community License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.opensource.org/licenses/ecl2.php
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.kuali.rice.kew.notes.web;
 
 import org.apache.log4j.Logger;
 import org.kuali.rice.core.framework.services.CoreFrameworkServiceLocator;
 import org.kuali.rice.kew.api.WorkflowRuntimeException;
 import org.kuali.rice.kew.doctype.SecuritySession;
 import org.kuali.rice.kew.notes.Attachment;
 import org.kuali.rice.kew.notes.service.NoteService;
 import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
 import org.kuali.rice.kew.service.KEWServiceLocator;
 import org.kuali.rice.kew.util.KEWConstants;
 import org.kuali.rice.krad.UserSession;
 import org.kuali.rice.krad.util.KRADConstants;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 
 
 
 
 /**
  * A servlet which can be used to retrieve attachments from Notes.
  * 
  * @author Kuali Rice Team (rice.collab@kuali.org)
  */
 public class AttachmentServlet extends HttpServlet {
         
         private static final long serialVersionUID = -1918858512573502697L;
         public static final String ATTACHMENT_ID_KEY = "attachmentId";
 
         // TODO This should probably be put into KEWConstants when contributed back
         // to Rice 1.0.3
         private static final Logger LOG = Logger.getLogger(AttachmentServlet.class);
                         
         @Override
         protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
                 String attachmentId = request.getParameter(ATTACHMENT_ID_KEY);
                 if (attachmentId == null) {
                         throw new ServletException("No 'attachmentId' was specified.");
                 }
                 
                 boolean secureChecks = true;
                 String secureAttachmentsParam = null;
                 try {
                         secureAttachmentsParam = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsString(KEWConstants.KEW_NAMESPACE, "All", KEWConstants.SECURE_ATTACHMENTS_PARAM);
                 } catch (Exception e) {
                         LOG.info("Attempted to retrieve parameter value, but could not. Defaulting to unsecured attachment retrieval. " + e.getMessage());
                 }
                 if (secureAttachmentsParam != null && secureAttachmentsParam.equals("N")) {
                         secureChecks = false;
                 }
                 try {
                         UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
                         if (userSession != null) {// If we can get a valid userSession object off the Http request...
                                 
                                 NoteService noteService = KEWServiceLocator.getNoteService(); 
                                 Attachment attachment = noteService.findAttachment(attachmentId);
                                 File file = noteService.findAttachmentFile(attachment);
                                 
                                 DocumentRouteHeaderValue routeHeader = KEWServiceLocator.getRouteHeaderService().getRouteHeader(noteService.getNoteByNoteId(attachment.getNoteId()).getDocumentId());
                                 
                                 if(!secureChecks || routeHeader != null){// If we can get a valid routeHeader based on the requested attachment ID
                                         boolean authorized = KEWServiceLocator.getDocumentSecurityService().routeLogAuthorized(userSession, routeHeader, new SecuritySession(userSession));
                                         
                                         if(!secureChecks || authorized){// If this user can see this document, they can get the attachment(s)
                                                 response.setContentLength((int)file.length());
                                                 response.setContentType(attachment.getMimeType());
                                                 response.setHeader("Content-disposition", "attachment; filename="+attachment.getFileName());
                                                 FileInputStream attachmentFile = new FileInputStream(file);
                                                 BufferedInputStream inputStream = new BufferedInputStream(attachmentFile);
                                                 OutputStream outputStream = new BufferedOutputStream(response.getOutputStream());
 
                                                 try {
                                                         int c;
                                                         while ((c = inputStream.read()) != -1) {
                                                                 outputStream.write(c);
                                                         }
                                                 } finally {
                                                         inputStream.close();
                                                 }
                                                 outputStream.close();
                                         } else {// Throw a forbidden page back, they were not approved by DocumentSecurityService
                                                 LOG.error("Attempt to access attachmentId:"+ attachmentId + " from documentId:" + routeHeader.getDocumentId() + " from unauthorized user: " + userSession.getPrincipalId());
                                                 response.sendError(HttpServletResponse.SC_FORBIDDEN);
                                                 return;
                                         }
                                 } else {// Throw a not found, couldn't get a valid routeHeader
                                         LOG.error("Caught Null Pointer trying to determine routeHeader for requested attachmentId:" + attachmentId);
                                         response.sendError(HttpServletResponse.SC_NOT_FOUND);
                                         return;
                                 }
                         } else {// Throw a bad request, we couldn't find a valid user session
                                 LOG.error("Attempt to access attachmentId:" + attachmentId + " with invalid UserSession");
                                 response.sendError(HttpServletResponse.SC_BAD_REQUEST);
                                 return;
                         }
                 } catch (Exception e) {// Catch any error, log it. Send a not found, and throw up the exception.
                         LOG.error("Problem retrieving requested attachmentId:" + attachmentId, e);
                         throw new WorkflowRuntimeException(e);
                 }
         }
         @Override
         protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
                 doPost(request, response);
         }        
         
 }

1		/*
2		* Copyright 2006-2011 The Kuali Foundation
3		*
4		* Licensed under the Educational Community License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.opensource.org/licenses/ecl2.php
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16		package org.kuali.rice.kew.notes.web;
17
18		import org.apache.log4j.Logger;
19		import org.kuali.rice.core.framework.services.CoreFrameworkServiceLocator;
20		import org.kuali.rice.kew.api.WorkflowRuntimeException;
21		import org.kuali.rice.kew.doctype.SecuritySession;
22		import org.kuali.rice.kew.notes.Attachment;
23		import org.kuali.rice.kew.notes.service.NoteService;
24		import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
25		import org.kuali.rice.kew.service.KEWServiceLocator;
26		import org.kuali.rice.kew.util.KEWConstants;
27		import org.kuali.rice.krad.UserSession;
28		import org.kuali.rice.krad.util.KRADConstants;
29
30		import javax.servlet.ServletException;
31		import javax.servlet.http.HttpServlet;
32		import javax.servlet.http.HttpServletRequest;
33		import javax.servlet.http.HttpServletResponse;
34		import java.io.BufferedInputStream;
35		import java.io.BufferedOutputStream;
36		import java.io.File;
37		import java.io.FileInputStream;
38		import java.io.IOException;
39		import java.io.OutputStream;
40
41
42
43
44		/**
45		* A servlet which can be used to retrieve attachments from Notes.
46		*
47		* @author Kuali Rice Team (rice.collab@kuali.org)
48		*/
49	0	public class AttachmentServlet extends HttpServlet {
50
51		private static final long serialVersionUID = -1918858512573502697L;
52		public static final String ATTACHMENT_ID_KEY = "attachmentId";
53
54		// TODO This should probably be put into KEWConstants when contributed back
55		// to Rice 1.0.3
56	0	private static final Logger LOG = Logger.getLogger(AttachmentServlet.class);
57
58		@Override
59		protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
60	0	String attachmentId = request.getParameter(ATTACHMENT_ID_KEY);
61	0	if (attachmentId == null) {
62	0	throw new ServletException("No 'attachmentId' was specified.");
63		}
64
65	0	boolean secureChecks = true;
66	0	String secureAttachmentsParam = null;
67		try {
68	0	secureAttachmentsParam = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsString(KEWConstants.KEW_NAMESPACE, "All", KEWConstants.SECURE_ATTACHMENTS_PARAM);
69	0	} catch (Exception e) {
70	0	LOG.info("Attempted to retrieve parameter value, but could not. Defaulting to unsecured attachment retrieval. " + e.getMessage());
71	0	}
72	0	if (secureAttachmentsParam != null && secureAttachmentsParam.equals("N")) {
73	0	secureChecks = false;
74		}
75		try {
76	0	UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
77	0	if (userSession != null) {// If we can get a valid userSession object off the Http request...
78
79	0	NoteService noteService = KEWServiceLocator.getNoteService();
80	0	Attachment attachment = noteService.findAttachment(attachmentId);
81	0	File file = noteService.findAttachmentFile(attachment);
82
83	0	DocumentRouteHeaderValue routeHeader = KEWServiceLocator.getRouteHeaderService().getRouteHeader(noteService.getNoteByNoteId(attachment.getNoteId()).getDocumentId());
84
85	0	if(!secureChecks \|\| routeHeader != null){// If we can get a valid routeHeader based on the requested attachment ID
86	0	boolean authorized = KEWServiceLocator.getDocumentSecurityService().routeLogAuthorized(userSession, routeHeader, new SecuritySession(userSession));
87
88	0	if(!secureChecks \|\| authorized){// If this user can see this document, they can get the attachment(s)
89	0	response.setContentLength((int)file.length());
90	0	response.setContentType(attachment.getMimeType());
91	0	response.setHeader("Content-disposition", "attachment; filename="+attachment.getFileName());
92	0	FileInputStream attachmentFile = new FileInputStream(file);
93	0	BufferedInputStream inputStream = new BufferedInputStream(attachmentFile);
94	0	OutputStream outputStream = new BufferedOutputStream(response.getOutputStream());
95
96		try {
97		int c;
98	0	while ((c = inputStream.read()) != -1) {
99	0	outputStream.write(c);
100		}
101		} finally {
102	0	inputStream.close();
103	0	}
104	0	outputStream.close();
105	0	} else {// Throw a forbidden page back, they were not approved by DocumentSecurityService
106	0	LOG.error("Attempt to access attachmentId:"+ attachmentId + " from documentId:" + routeHeader.getDocumentId() + " from unauthorized user: " + userSession.getPrincipalId());
107	0	response.sendError(HttpServletResponse.SC_FORBIDDEN);
108	0	return;
109		}
110	0	} else {// Throw a not found, couldn't get a valid routeHeader
111	0	LOG.error("Caught Null Pointer trying to determine routeHeader for requested attachmentId:" + attachmentId);
112	0	response.sendError(HttpServletResponse.SC_NOT_FOUND);
113	0	return;
114		}
115	0	} else {// Throw a bad request, we couldn't find a valid user session
116	0	LOG.error("Attempt to access attachmentId:" + attachmentId + " with invalid UserSession");
117	0	response.sendError(HttpServletResponse.SC_BAD_REQUEST);
118	0	return;
119		}
120	0	} catch (Exception e) {// Catch any error, log it. Send a not found, and throw up the exception.
121	0	LOG.error("Problem retrieving requested attachmentId:" + attachmentId, e);
122	0	throw new WorkflowRuntimeException(e);
123	0	}
124	0	}
125		@Override
126		protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
127	0	doPost(request, response);
128	0	}
129
130		}