001    /**
002     * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet.filters.servletauthorizing;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
020    import com.liferay.portal.kernel.util.GetterUtil;
021    import com.liferay.portal.model.User;
022    import com.liferay.portal.security.auth.PrincipalThreadLocal;
023    import com.liferay.portal.security.permission.PermissionChecker;
024    import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
025    import com.liferay.portal.security.permission.PermissionThreadLocal;
026    import com.liferay.portal.service.UserLocalServiceUtil;
027    import com.liferay.portal.servlet.filters.BasePortalFilter;
028    import com.liferay.portal.util.PortalInstances;
029    import com.liferay.portal.util.PortalUtil;
030    import com.liferay.portal.util.PropsValues;
031    import com.liferay.portal.util.WebKeys;
032    
033    import javax.servlet.FilterChain;
034    import javax.servlet.http.HttpServletRequest;
035    import javax.servlet.http.HttpServletResponse;
036    import javax.servlet.http.HttpSession;
037    
038    import org.apache.struts.Globals;
039    
040    /**
041     * @author Raymond Augé
042     */
043    public class ServletAuthorizingFilter extends BasePortalFilter {
044    
045            protected void processFilter(
046                            HttpServletRequest request, HttpServletResponse response,
047                            FilterChain filterChain)
048                    throws Exception {
049    
050                    HttpSession session = request.getSession();
051    
052                    // Company id
053    
054                    PortalInstances.getCompanyId(request);
055    
056                    // Authorize
057    
058                    long userId = PortalUtil.getUserId(request);
059                    String remoteUser = request.getRemoteUser();
060    
061                    if (!PropsValues.PORTAL_JAAS_ENABLE) {
062                            String jRemoteUser = (String)session.getAttribute("j_remoteuser");
063    
064                            if (jRemoteUser != null) {
065                                    remoteUser = jRemoteUser;
066    
067                                    session.removeAttribute("j_remoteuser");
068                            }
069                    }
070    
071                    if ((userId > 0) && (remoteUser == null)) {
072                            remoteUser = String.valueOf(userId);
073                    }
074    
075                    // WebSphere will not return the remote user unless you are
076                    // authenticated AND accessing a protected path. Other servers will
077                    // return the remote user for all threads associated with an
078                    // authenticated user. We use ProtectedServletRequest to ensure we get
079                    // similar behavior across all servers.
080    
081                    request = new ProtectedServletRequest(request, remoteUser);
082    
083                    if ((userId > 0) || (remoteUser != null)) {
084    
085                            // Set the principal associated with this thread
086    
087                            String name = String.valueOf(userId);
088    
089                            if (remoteUser != null) {
090                                    name = remoteUser;
091                            }
092    
093                            PrincipalThreadLocal.setName(name);
094    
095                            // User id
096    
097                            userId = GetterUtil.getLong(name);
098    
099                            try {
100    
101                                    // User
102    
103                                    User user = UserLocalServiceUtil.getUserById(userId);
104    
105                                    // Permission checker
106    
107                                    PermissionChecker permissionChecker =
108                                            PermissionCheckerFactoryUtil.create(user, true);
109    
110                                    PermissionThreadLocal.setPermissionChecker(permissionChecker);
111    
112                                    // User id
113    
114                                    session.setAttribute(WebKeys.USER_ID, new Long(userId));
115    
116                                    // User locale
117    
118                                    session.setAttribute(Globals.LOCALE_KEY, user.getLocale());
119                            }
120                            catch (Exception e) {
121                                    _log.error(e, e);
122                            }
123                    }
124    
125                    processFilter(
126                            ServletAuthorizingFilter.class, request, response, filterChain);
127            }
128    
129            private static Log _log = LogFactoryUtil.getLog(
130                    ServletAuthorizingFilter.class);
131    
132    }