001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.CharPool;
018 import com.liferay.portal.kernel.util.ParamUtil;
019 import com.liferay.portal.kernel.util.Validator;
020 import com.liferay.portal.kernel.util.WebKeys;
021 import com.liferay.portal.model.Portlet;
022 import com.liferay.portal.model.PortletConstants;
023 import com.liferay.portal.service.PortletLocalServiceUtil;
024 import com.liferay.portal.service.permission.PortletPermissionUtil;
025 import com.liferay.portal.util.PortalUtil;
026 import com.liferay.portal.util.PropsValues;
027 import com.liferay.util.Encryptor;
028 import com.liferay.util.PwdGenerator;
029
030 import java.util.Set;
031
032 import javax.servlet.http.HttpServletRequest;
033 import javax.servlet.http.HttpSession;
034
035
038 public class SessionAuthToken implements AuthToken {
039
040 @Override
041 public void check(HttpServletRequest request) throws PrincipalException {
042 if (isIgnoreAction(request) || isIgnorePortlet(request)) {
043 return;
044 }
045
046 String requestAuthenticationToken = ParamUtil.getString(
047 request, "p_auth");
048
049 String sessionAuthenticationToken = getSessionAuthenticationToken(
050 request, _PORTAL);
051
052 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
053 PropsValues.AUTH_TOKEN_SHARED_SECRET);
054
055 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
056 request, "p_auth_secret");
057
058 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
059 !requestAuthenticatonTokenSharedSecret.equals(
060 propertiesAuthenticatonTokenSharedSecret)) {
061
062 throw new PrincipalException("Invalid authentication token");
063 }
064 }
065
066 @Override
067 public String getToken(HttpServletRequest request) {
068 return getSessionAuthenticationToken(request, _PORTAL);
069 }
070
071 @Override
072 public String getToken(
073 HttpServletRequest request, long plid, String portletId) {
074
075 return getSessionAuthenticationToken(
076 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
077 }
078
079 protected String getSessionAuthenticationToken(
080 HttpServletRequest request, String key) {
081
082 HttpSession session = request.getSession();
083
084 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
085
086 String sessionAuthenticationToken = (String)session.getAttribute(
087 tokenKey);
088
089 if (Validator.isNull(sessionAuthenticationToken)) {
090 sessionAuthenticationToken = PwdGenerator.getPassword();
091
092 session.setAttribute(tokenKey, sessionAuthenticationToken);
093 }
094
095 return sessionAuthenticationToken;
096 }
097
098 protected boolean isIgnoreAction(HttpServletRequest request) {
099 long companyId = PortalUtil.getCompanyId(request);
100
101 String ppid = ParamUtil.getString(request, "p_p_id");
102
103 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
104
105 String strutsAction = ParamUtil.getString(
106 request, portletNamespace + "struts_action");
107
108 return isIgnoreAction(companyId, ppid, strutsAction);
109 }
110
111 protected boolean isIgnoreAction(
112 long companyId, String ppid, String strutsAction) {
113
114 Set<String> authTokenIgnoreActions =
115 PortalUtil.getAuthTokenIgnoreActions();
116
117 if (!authTokenIgnoreActions.contains(strutsAction)) {
118 return false;
119 }
120
121 try {
122 Portlet portlet = PortletLocalServiceUtil.getPortletById(
123 companyId, ppid);
124
125 if (portlet == null) {
126 return false;
127 }
128
129 String strutsPath = strutsAction.substring(
130 1, strutsAction.lastIndexOf(CharPool.SLASH));
131
132 if (strutsPath.equals(portlet.getStrutsPath()) ||
133 strutsPath.equals(portlet.getParentStrutsPath())) {
134
135 return true;
136 }
137 }
138 catch (Exception e) {
139 }
140
141 return false;
142 }
143
144 protected boolean isIgnorePortlet(HttpServletRequest request) {
145 String ppid = ParamUtil.getString(request, "p_p_id");
146
147 return isIgnorePortlet(ppid);
148 }
149
150 protected boolean isIgnorePortlet(String portletId) {
151 String rootPortletId = PortletConstants.getRootPortletId(portletId);
152
153 Set<String> authTokenIgnorePortlets =
154 PortalUtil.getAuthTokenIgnorePortlets();
155
156 return authTokenIgnorePortlets.contains(rootPortletId);
157 }
158
159 private static final String _PORTAL = "PORTAL";
160
161 }