001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet.filters.servletauthorizing;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
020    import com.liferay.portal.kernel.util.GetterUtil;
021    import com.liferay.portal.model.User;
022    import com.liferay.portal.security.auth.PrincipalThreadLocal;
023    import com.liferay.portal.security.permission.PermissionChecker;
024    import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
025    import com.liferay.portal.security.permission.PermissionThreadLocal;
026    import com.liferay.portal.service.UserLocalServiceUtil;
027    import com.liferay.portal.servlet.filters.BasePortalFilter;
028    import com.liferay.portal.util.PortalInstances;
029    import com.liferay.portal.util.PortalUtil;
030    import com.liferay.portal.util.PropsValues;
031    import com.liferay.portal.util.WebKeys;
032    
033    import javax.servlet.FilterChain;
034    import javax.servlet.http.HttpServletRequest;
035    import javax.servlet.http.HttpServletResponse;
036    import javax.servlet.http.HttpSession;
037    
038    import org.apache.struts.Globals;
039    
040    /**
041     * @author Raymond Aug??
042     */
043    public class ServletAuthorizingFilter extends BasePortalFilter {
044    
045            @Override
046            protected void processFilter(
047                            HttpServletRequest request, HttpServletResponse response,
048                            FilterChain filterChain)
049                    throws Exception {
050    
051                    HttpSession session = request.getSession();
052    
053                    // Company id
054    
055                    PortalInstances.getCompanyId(request);
056    
057                    // Authorize
058    
059                    long userId = PortalUtil.getUserId(request);
060                    String remoteUser = request.getRemoteUser();
061    
062                    if (!PropsValues.PORTAL_JAAS_ENABLE) {
063                            String jRemoteUser = (String)session.getAttribute("j_remoteuser");
064    
065                            if (jRemoteUser != null) {
066                                    remoteUser = jRemoteUser;
067    
068                                    session.removeAttribute("j_remoteuser");
069                            }
070                    }
071    
072                    if ((userId > 0) && (remoteUser == null)) {
073                            remoteUser = String.valueOf(userId);
074                    }
075    
076                    // WebSphere will not return the remote user unless you are
077                    // authenticated AND accessing a protected path. Other servers will
078                    // return the remote user for all threads associated with an
079                    // authenticated user. We use ProtectedServletRequest to ensure we get
080                    // similar behavior across all servers.
081    
082                    request = new ProtectedServletRequest(request, remoteUser);
083    
084                    if ((userId > 0) || (remoteUser != null)) {
085    
086                            // Set the principal associated with this thread
087    
088                            String name = String.valueOf(userId);
089    
090                            if (remoteUser != null) {
091                                    name = remoteUser;
092                            }
093    
094                            PrincipalThreadLocal.setName(name);
095    
096                            // User id
097    
098                            userId = GetterUtil.getLong(name);
099    
100                            try {
101    
102                                    // User
103    
104                                    User user = UserLocalServiceUtil.getUserById(userId);
105    
106                                    // Permission checker
107    
108                                    PermissionChecker permissionChecker =
109                                            PermissionCheckerFactoryUtil.create(user);
110    
111                                    PermissionThreadLocal.setPermissionChecker(permissionChecker);
112    
113                                    // User id
114    
115                                    session.setAttribute(WebKeys.USER_ID, new Long(userId));
116    
117                                    // User locale
118    
119                                    session.setAttribute(Globals.LOCALE_KEY, user.getLocale());
120                            }
121                            catch (Exception e) {
122                                    _log.error(e, e);
123                            }
124                    }
125    
126                    processFilter(
127                            ServletAuthorizingFilter.class, request, response, filterChain);
128            }
129    
130            private static Log _log = LogFactoryUtil.getLog(
131                    ServletAuthorizingFilter.class);
132    
133    }