001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.CharPool;
018    import com.liferay.portal.kernel.util.ParamUtil;
019    import com.liferay.portal.kernel.util.Validator;
020    import com.liferay.portal.kernel.util.WebKeys;
021    import com.liferay.portal.model.Portlet;
022    import com.liferay.portal.model.PortletConstants;
023    import com.liferay.portal.service.PortletLocalServiceUtil;
024    import com.liferay.portal.service.permission.PortletPermissionUtil;
025    import com.liferay.portal.util.PortalUtil;
026    import com.liferay.portal.util.PropsValues;
027    import com.liferay.util.Encryptor;
028    import com.liferay.util.PwdGenerator;
029    
030    import java.util.Set;
031    
032    import javax.servlet.http.HttpServletRequest;
033    import javax.servlet.http.HttpSession;
034    
035    /**
036     * @author Amos Fong
037     */
038    public class SessionAuthToken implements AuthToken {
039    
040            @Override
041            public void check(HttpServletRequest request) throws PrincipalException {
042                    if (isIgnoreAction(request) || isIgnorePortlet(request)) {
043                            return;
044                    }
045    
046                    String requestAuthenticationToken = ParamUtil.getString(
047                            request, "p_auth");
048    
049                    String sessionAuthenticationToken = getSessionAuthenticationToken(
050                            request, _PORTAL);
051    
052                    String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
053                            PropsValues.AUTH_TOKEN_SHARED_SECRET);
054    
055                    String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
056                            request, "p_auth_secret");
057    
058                    if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
059                            !requestAuthenticatonTokenSharedSecret.equals(
060                                    propertiesAuthenticatonTokenSharedSecret)) {
061    
062                            throw new PrincipalException("Invalid authentication token");
063                    }
064            }
065    
066            @Override
067            public String getToken(HttpServletRequest request) {
068                    return getSessionAuthenticationToken(request, _PORTAL);
069            }
070    
071            @Override
072            public String getToken(
073                    HttpServletRequest request, long plid, String portletId) {
074    
075                    return getSessionAuthenticationToken(
076                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
077            }
078    
079            protected String getSessionAuthenticationToken(
080                    HttpServletRequest request, String key) {
081    
082                    HttpSession session = request.getSession();
083    
084                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
085    
086                    String sessionAuthenticationToken = (String)session.getAttribute(
087                            tokenKey);
088    
089                    if (Validator.isNull(sessionAuthenticationToken)) {
090                            sessionAuthenticationToken = PwdGenerator.getPassword();
091    
092                            session.setAttribute(tokenKey, sessionAuthenticationToken);
093                    }
094    
095                    return sessionAuthenticationToken;
096            }
097    
098            protected boolean isIgnoreAction(HttpServletRequest request) {
099                    long companyId = PortalUtil.getCompanyId(request);
100    
101                    String ppid = ParamUtil.getString(request, "p_p_id");
102    
103                    String portletNamespace = PortalUtil.getPortletNamespace(ppid);
104    
105                    String strutsAction = ParamUtil.getString(
106                            request, portletNamespace + "struts_action");
107    
108                    return isIgnoreAction(companyId, ppid, strutsAction);
109            }
110    
111            protected boolean isIgnoreAction(
112                    long companyId, String ppid, String strutsAction) {
113    
114                    Set<String> authTokenIgnoreActions =
115                            PortalUtil.getAuthTokenIgnoreActions();
116    
117                    if (!authTokenIgnoreActions.contains(strutsAction)) {
118                            return false;
119                    }
120    
121                    try {
122                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
123                                    companyId, ppid);
124    
125                            if (portlet == null) {
126                                    return false;
127                            }
128    
129                            String strutsPath = strutsAction.substring(
130                                    1, strutsAction.lastIndexOf(CharPool.SLASH));
131    
132                            if (strutsPath.equals(portlet.getStrutsPath()) ||
133                                    strutsPath.equals(portlet.getParentStrutsPath())) {
134    
135                                    return true;
136                            }
137                    }
138                    catch (Exception e) {
139                    }
140    
141                    return false;
142            }
143    
144            protected boolean isIgnorePortlet(HttpServletRequest request) {
145                    String ppid = ParamUtil.getString(request, "p_p_id");
146    
147                    return isIgnorePortlet(ppid);
148            }
149    
150            protected boolean isIgnorePortlet(String portletId) {
151                    String rootPortletId = PortletConstants.getRootPortletId(portletId);
152    
153                    Set<String> authTokenIgnorePortlets =
154                            PortalUtil.getAuthTokenIgnorePortlets();
155    
156                    return authTokenIgnorePortlets.contains(rootPortletId);
157            }
158    
159            private static final String _PORTAL = "PORTAL";
160    
161    }