View Javadoc
1   /**
2    * Copyright 2005-2016 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.kew.notes.web;
17  
18  import org.apache.log4j.Logger;
19  import org.kuali.rice.coreservice.framework.CoreFrameworkServiceLocator;
20  import org.kuali.rice.kew.api.WorkflowRuntimeException;
21  import org.kuali.rice.kew.doctype.SecuritySession;
22  import org.kuali.rice.kew.notes.Attachment;
23  import org.kuali.rice.kew.notes.service.NoteService;
24  import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
25  import org.kuali.rice.kew.service.KEWServiceLocator;
26  import org.kuali.rice.kew.api.KewApiConstants;
27  import org.kuali.rice.krad.UserSession;
28  import org.kuali.rice.krad.util.KRADConstants;
29  
30  import javax.servlet.ServletException;
31  import javax.servlet.http.HttpServlet;
32  import javax.servlet.http.HttpServletRequest;
33  import javax.servlet.http.HttpServletResponse;
34  import java.io.BufferedInputStream;
35  import java.io.BufferedOutputStream;
36  import java.io.File;
37  import java.io.FileInputStream;
38  import java.io.IOException;
39  import java.io.OutputStream;
40  
41  
42  
43  
44  /**
45   * A servlet which can be used to retrieve attachments from Notes.
46   * 
47   * @author Kuali Rice Team (rice.collab@kuali.org)
48   */
49  public class AttachmentServlet extends HttpServlet {
50  	
51  	private static final long serialVersionUID = -1918858512573502697L;
52  	public static final String ATTACHMENT_ID_KEY = "attachmentId";
53  
54  	// TODO This should probably be put into KewApiConstants when contributed back
55  	// to Rice 1.0.3
56  	private static final Logger LOG = Logger.getLogger(AttachmentServlet.class);
57  			
58  	@Override
59  	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
60  		String attachmentId = request.getParameter(ATTACHMENT_ID_KEY);
61  		if (attachmentId == null) {
62  			throw new ServletException("No 'attachmentId' was specified.");
63  		}
64  		
65  		boolean secureChecks = false;
66  		String secureAttachmentsParam = null;
67  		try {
68  			secureAttachmentsParam = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsString(KewApiConstants.KEW_NAMESPACE, "All", KewApiConstants.SECURE_ATTACHMENTS_PARAM);
69  		} catch (Exception e) {
70  			LOG.info("Attempted to retrieve parameter value, but could not. Defaulting to unsecured attachment retrieval. " + e.getMessage());
71  		}
72  		if (secureAttachmentsParam != null && secureAttachmentsParam.equals("Y")) {
73  			secureChecks = true;
74  		}
75  		try {
76  			UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
77  			if (userSession != null) {// If we can get a valid userSession object off the Http request...
78  				
79  				NoteService noteService = KEWServiceLocator.getNoteService(); 
80  				Attachment attachment = noteService.findAttachment(attachmentId);
81  				File file = noteService.findAttachmentFile(attachment);
82  				
83  				DocumentRouteHeaderValue routeHeader = KEWServiceLocator.getRouteHeaderService().getRouteHeader(noteService.getNoteByNoteId(attachment.getNoteId()).getDocumentId());
84  				
85  				if(!secureChecks || routeHeader != null){// If we can get a valid routeHeader based on the requested attachment ID
86  					boolean authorized = KEWServiceLocator.getDocumentSecurityService().routeLogAuthorized(userSession.getPrincipalId(), routeHeader, new SecuritySession(userSession.getPrincipalId()));
87                      boolean customAttributeAuthorized = false;
88                      if(routeHeader.getCustomNoteAttribute() != null){
89                          routeHeader.getCustomNoteAttribute().setUserSession(userSession);
90                          customAttributeAuthorized = routeHeader.getCustomNoteAttribute().isAuthorizedToRetrieveAttachments();
91                      }                    
92                      if(!secureChecks || (authorized && customAttributeAuthorized)){//If this user can see this document, they can get the attachment(s)						
93                      	response.setContentLength((int)file.length());
94  						response.setContentType(attachment.getMimeType());
95  						response.setHeader("Content-disposition", "attachment; filename=\"" + attachment.getFileName() + "\"");
96  						FileInputStream attachmentFile = new FileInputStream(file);
97  						BufferedInputStream inputStream = new BufferedInputStream(attachmentFile);
98  						OutputStream outputStream = new BufferedOutputStream(response.getOutputStream());
99  
100 						try {
101 							int c;
102 							while ((c = inputStream.read()) != -1) {
103 								outputStream.write(c);
104 							}
105 						} finally {
106 							inputStream.close();
107 						}
108 						outputStream.close();
109 					} else {// Throw a forbidden page back, they were not approved by DocumentSecurityService
110 						LOG.error("Attempt to access attachmentId:"+ attachmentId + " from documentId:" + routeHeader.getDocumentId() + " from unauthorized user: " + userSession.getPrincipalId());
111 						response.sendError(HttpServletResponse.SC_FORBIDDEN);
112 						return;
113 					}
114 				} else {// Throw a not found, couldn't get a valid routeHeader
115 					LOG.error("Caught Null Pointer trying to determine routeHeader for requested attachmentId:" + attachmentId);
116 					response.sendError(HttpServletResponse.SC_NOT_FOUND);
117 					return;
118 				}
119 			} else {// Throw a bad request, we couldn't find a valid user session
120 				LOG.error("Attempt to access attachmentId:" + attachmentId + " with invalid UserSession");
121 				response.sendError(HttpServletResponse.SC_BAD_REQUEST);
122 				return;
123 			}
124 		} catch (Exception e) {// Catch any error, log it. Send a not found, and throw up the exception.
125 			LOG.error("Problem retrieving requested attachmentId:" + attachmentId, e);
126 			throw new WorkflowRuntimeException(e);
127 		}
128 	}
129 	@Override
130 	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
131 		doPost(request, response);
132 	}	
133 	
134 }