001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.security.pacl.DoPrivileged;
018    import com.liferay.portal.kernel.util.CharPool;
019    import com.liferay.portal.kernel.util.SetUtil;
020    import com.liferay.portal.kernel.util.Validator;
021    import com.liferay.portal.model.Portlet;
022    import com.liferay.portal.service.PortletLocalServiceUtil;
023    
024    import java.util.Collections;
025    import java.util.Set;
026    
027    /**
028     * @author Peter Borkuti
029     * @author Tomas Polesovsky
030     */
031    @DoPrivileged
032    public abstract class AbstractPortletRequestWhitelist
033            implements PortletRequestWhitelist {
034    
035            public AbstractPortletRequestWhitelist() {
036                    resetPortletInvocationWhitelist();
037                    resetPortletInvocationWhitelistActions();
038            }
039    
040            @Override
041            public Set<String> getPortletInvocationWhitelist() {
042                    return _portletInvocationWhitelist;
043            }
044    
045            @Override
046            public Set<String> getPortletInvocationWhitelistActions() {
047                    return _portletInvocationWhitelistActions;
048            }
049    
050            public abstract String[] getWhitelistActionsPropsValues();
051    
052            public abstract String[] getWhitelistPropsValues();
053    
054            @Override
055            public boolean isPortletInvocationWhitelisted(
056                    long companyId, String portletId, String strutsAction) {
057    
058                    Set<String> whitelist = getPortletInvocationWhitelist();
059    
060                    if (whitelist.contains(portletId)) {
061                            return true;
062                    }
063    
064                    if (Validator.isNotNull(strutsAction)) {
065                            Set<String> whitelistActions =
066                                    getPortletInvocationWhitelistActions();
067    
068                            if (whitelistActions.contains(strutsAction) &&
069                                    isValidStrutsAction(companyId, portletId, strutsAction)) {
070    
071                                    return true;
072                            }
073                    }
074    
075                    return false;
076            }
077    
078            @Override
079            public Set<String> resetPortletInvocationWhitelist() {
080                    _portletInvocationWhitelist = SetUtil.fromArray(
081                            getWhitelistPropsValues());
082                    _portletInvocationWhitelist = Collections.unmodifiableSet(
083                            _portletInvocationWhitelist);
084    
085                    return _portletInvocationWhitelist;
086            }
087    
088            @Override
089            public Set<String> resetPortletInvocationWhitelistActions() {
090                    _portletInvocationWhitelistActions = SetUtil.fromArray(
091                            getWhitelistActionsPropsValues());
092                    _portletInvocationWhitelistActions = Collections.unmodifiableSet(
093                            _portletInvocationWhitelistActions);
094    
095                    return _portletInvocationWhitelistActions;
096            }
097    
098            protected boolean isValidStrutsAction(
099                    long companyId, String portletId, String strutsAction) {
100    
101                    try {
102                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
103                                    companyId, portletId);
104    
105                            if (portlet == null) {
106                                    return false;
107                            }
108    
109                            String strutsPath = strutsAction.substring(
110                                    1, strutsAction.lastIndexOf(CharPool.SLASH));
111    
112                            if (strutsPath.equals(portlet.getStrutsPath()) ||
113                                    strutsPath.equals(portlet.getParentStrutsPath())) {
114    
115                                    return true;
116                            }
117                    }
118                    catch (Exception e) {
119                    }
120    
121                    return false;
122            }
123    
124            private Set<String> _portletInvocationWhitelist;
125            private Set<String> _portletInvocationWhitelistActions;
126    
127    }