View Javadoc
1   /**
2    * Copyright 2005-2015 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.krad.web.controller;
17  
18  import org.apache.commons.lang.StringUtils;
19  import org.apache.log4j.Logger;
20  import org.kuali.rice.krad.UserSession;
21  import org.kuali.rice.krad.uif.UifConstants;
22  import org.kuali.rice.krad.uif.UifParameters;
23  import org.kuali.rice.krad.uif.util.ProcessLogger;
24  import org.kuali.rice.krad.uif.view.ViewModel;
25  import org.kuali.rice.krad.util.GlobalVariables;
26  import org.kuali.rice.krad.util.KRADUtils;
27  import org.kuali.rice.krad.web.form.HistoryManager;
28  import org.kuali.rice.krad.web.form.UifFormBase;
29  import org.kuali.rice.krad.web.form.UifFormManager;
30  import org.kuali.rice.krad.web.service.ModelAndViewService;
31  import org.springframework.beans.factory.annotation.Autowired;
32  import org.springframework.web.bind.annotation.RequestMethod;
33  import org.springframework.web.method.HandlerMethod;
34  import org.springframework.web.servlet.HandlerInterceptor;
35  import org.springframework.web.servlet.ModelAndView;
36  
37  import javax.servlet.http.HttpServletRequest;
38  import javax.servlet.http.HttpServletResponse;
39  
40  /**
41   * Spring controller intercepter for KRAD controllers.
42   *
43   * <p>Provides infrastructure for preparing the form and view before and after the controller is invoked.
44   * Included in this is form session management and preparation of the view for rendering</p>
45   *
46   * @author Kuali Rice Team (rice.collab@kuali.org)
47   */
48  public class UifControllerHandlerInterceptor implements HandlerInterceptor {
49      private static final Logger LOG = Logger.getLogger(UifControllerHandlerInterceptor.class);
50  
51      @Autowired
52      private ModelAndViewService modelAndViewService;
53  
54      /**
55       * Before the controller executes the user session is set on GlobalVariables
56       * and messages are cleared, in addition setup for the history manager and a check on missing session
57       * forms is performed.
58       *
59       * {@inheritDoc}
60       */
61      @Override
62      public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
63              Object handler) throws Exception {
64          checkHandlerMethodAccess(request, handler);
65  
66          final UserSession session = KRADUtils.getUserSessionFromRequest(request);
67  
68          GlobalVariables.setUserSession(session);
69          GlobalVariables.clear();
70  
71          createUifFormManagerIfNecessary(request);
72  
73          // add the HistoryManager for storing HistoryFlows to the session
74          if (request.getSession().getAttribute(UifConstants.HistoryFlow.HISTORY_MANAGER) == null) {
75              request.getSession().setAttribute(UifConstants.HistoryFlow.HISTORY_MANAGER, new HistoryManager());
76          }
77  
78          ProcessLogger.trace("pre-handle");
79  
80          return true;
81      }
82  
83      /**
84       * Checks whether access is allowed for the requested controller method.
85       *
86       * <p>First a check is done on the method to determine whether it contains the annotation
87       * {@link org.kuali.rice.krad.web.controller.MethodAccessible}. If so, access is allowed. If the
88       * annotation is not present, data from the posted view (if any) is referenced to determine
89       * whether the method was configured as an accessible method to call.</p>
90       *
91       * <p>If method access is not allowed, a {@link org.kuali.rice.krad.web.controller.MethodAccessException}
92       * is thrown.</p>
93       *
94       * @param request HTTP request (used to retrieve parameters)
95       * @param handler handler method that was determined based on the request and mappings
96       * @throws Exception
97       */
98      protected void checkHandlerMethodAccess(HttpServletRequest request, Object handler) throws Exception {
99          String requestMethod = request.getMethod();
100 
101         // if it is a GET request then we allow without any check
102         if(requestMethod.equalsIgnoreCase(RequestMethod.GET.name())) {
103             return;
104         }
105 
106         HandlerMethod handlerMethod = (HandlerMethod) handler;
107         MethodAccessible methodAccessible = handlerMethod.getMethodAnnotation(MethodAccessible.class);
108 
109         // if accessible by annotation then return, otherwise go on to check view configuration
110         if (methodAccessible != null) {
111             return;
112         }
113 
114         boolean isMethodAccessible = checkForMethodAccess(request);
115 
116         if (!isMethodAccessible) {
117             throw new MethodAccessException(handlerMethod.getBeanType(), handlerMethod.getMethod().getName());
118         }
119     }
120 
121     /**
122      * Checks whether access to the handler method is allowed based available methods or accessible methods
123      * on view configuration.
124      *
125      * <p>Since this method is invoked before the request form is setup, we need to retrieve the session form
126      * form the form manager. In the case of missing post data (GET requests), view method access is not
127      * granted.</p>
128      *
129      * @param request HTTP request to retrieve parameters from
130      * @return boolean true if method access is allowed based on the view, false if not
131      */
132     protected boolean checkForMethodAccess(HttpServletRequest request) {
133         String methodToCall = request.getParameter(UifParameters.METHOD_TO_CALL);
134 
135         // if method to call is blank, we will assume they are using other strategies to map controller
136         // methods, and therefore using custom access management
137         if (StringUtils.isBlank(methodToCall)) {
138             return true;
139         }
140 
141         UifFormManager uifFormManager = (UifFormManager) request.getSession().getAttribute(UifParameters.FORM_MANAGER);
142         UifFormBase form = null;
143 
144         String formKeyParam = request.getParameter(UifParameters.FORM_KEY);
145         if (StringUtils.isNotBlank(formKeyParam) && (uifFormManager != null)) {
146             form = uifFormManager.getSessionForm(formKeyParam);
147         }
148 
149         // if we don't have the view post data, there is nothing to validate
150         if ((form == null) || (form.getViewPostMetadata() == null)) {
151             return true;
152         }
153 
154         // if the method to call is listed as a method in either the available methods to call or the
155         // view's accessible methods to call, then return true
156         return !form.getViewPostMetadata().getAvailableMethodToCalls().contains(methodToCall) || ((form
157                 .getViewPostMetadata().getAccessibleMethodToCalls() != null) && form.getViewPostMetadata()
158                 .getAccessibleMethodToCalls().contains(methodToCall));
159     }
160 
161     /**
162      * Checks if a form manager is present in the session, and if not creates a form manager and adds to the
163      * session and global variables.
164      *
165      * @param request http request being handled
166      */
167     protected void createUifFormManagerIfNecessary(HttpServletRequest request) {
168         UifFormManager uifFormManager = (UifFormManager) request.getSession().getAttribute(UifParameters.FORM_MANAGER);
169         if (uifFormManager == null) {
170             uifFormManager = new UifFormManager();
171             request.getSession().setAttribute(UifParameters.FORM_MANAGER, uifFormManager);
172         }
173 
174         // add form manager to GlobalVariables for easy reference by other controller methods
175         GlobalVariables.setUifFormManager(uifFormManager);
176     }
177 
178     /**
179      * After the controller logic is executed, the form is placed into session and the corresponding view
180      * is prepared for rendering.
181      *
182      * {@inheritDoc}
183      */
184     @Override
185     public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
186             ModelAndView modelAndView) throws Exception {
187         if (request.getAttribute(UifParameters.Attributes.VIEW_LIFECYCLE_COMPLETE) == null) {
188             getModelAndViewService().prepareView(request, modelAndView);
189         }
190 
191         if ((modelAndView != null) && (modelAndView.getModelMap() != null)) {
192             Object model = modelAndView.getModelMap().get(UifConstants.DEFAULT_MODEL_NAME);
193             if ((model != null) && (model instanceof ViewModel)) {
194                 ((ViewModel) model).preRender(request);
195             }
196         }
197 
198         ProcessLogger.trace("post-handle");
199     }
200 
201     /**
202      * After the view is rendered remove the view to reduce the size of the form storage in memory.
203      *
204      * {@inheritDoc}
205      */
206     @Override
207     public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler,
208             Exception ex) throws Exception {
209         ProcessLogger.trace("after-completion");
210 
211         UifFormManager uifFormManager = (UifFormManager) request.getSession().getAttribute(UifParameters.FORM_MANAGER);
212         UifFormBase uifForm = (UifFormBase) request.getAttribute(UifConstants.REQUEST_FORM);
213 
214         if ((uifForm == null) || (uifForm.getView() == null)) {
215             return;
216         }
217 
218         // remove the session transient variables from the request form before adding it to the list of
219         // Uif session forms
220         boolean persistFormToSession = uifForm.getView().isPersistFormToSession();
221         if (persistFormToSession && (uifFormManager != null)) {
222             uifFormManager.purgeForm(uifForm);
223             uifFormManager.addSessionForm(uifForm);
224         }
225 
226         uifForm.setView(null);
227 
228         ProcessLogger.trace("after-completion-end");
229     }
230 
231     protected ModelAndViewService getModelAndViewService() {
232         return modelAndViewService;
233     }
234 
235     public void setModelAndViewService(ModelAndViewService modelAndViewService) {
236         this.modelAndViewService = modelAndViewService;
237     }
238 }