001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.ac;
016    
017    import com.liferay.portal.kernel.util.MapUtil;
018    import com.liferay.portal.kernel.util.SetUtil;
019    import com.liferay.portal.kernel.util.StringUtil;
020    import com.liferay.portal.security.auth.AccessControlContext;
021    import com.liferay.portal.security.auth.AuthSettingsUtil;
022    import com.liferay.portal.security.permission.PermissionChecker;
023    import com.liferay.portal.security.permission.PermissionThreadLocal;
024    
025    import java.lang.reflect.Method;
026    
027    import java.util.Set;
028    
029    import javax.servlet.http.HttpServletRequest;
030    
031    /**
032     * @author Tomas Polesovsky
033     * @author Igor Spasic
034     * @author Michael C. Han
035     * @author Raymond Aug??
036     */
037    public class AccessControlAdvisorImpl implements AccessControlAdvisor {
038    
039            @Override
040            public void accept(Method method, AccessControlled accessControlled)
041                    throws SecurityException {
042    
043                    if (accessControlled.hostAllowedValidationEnabled()) {
044                            checkAllowedHosts();
045                    }
046    
047                    PermissionChecker permissionChecker =
048                            PermissionThreadLocal.getPermissionChecker();
049    
050                    if (!accessControlled.guestAccessEnabled() &&
051                            ((permissionChecker == null) || !permissionChecker.isSignedIn())) {
052    
053                            throw new SecurityException("Authenticated access required");
054                    }
055            }
056    
057            protected void checkAllowedHosts() {
058                    AccessControlContext accessControlContext =
059                            AccessControlUtil.getAccessControlContext();
060    
061                    if (accessControlContext == null) {
062                            return;
063                    }
064    
065                    HttpServletRequest request = accessControlContext.getRequest();
066    
067                    String hostsAllowedString = MapUtil.getString(
068                            accessControlContext.getSettings(), "hosts.allowed");
069    
070                    String[] hostsAllowed = StringUtil.split(hostsAllowedString);
071    
072                    Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
073    
074                    if (!AuthSettingsUtil.isAccessAllowed(request, hostsAllowedSet)) {
075                            throw new SecurityException(
076                                    "Access denied for " + request.getRemoteAddr());
077                    }
078            }
079    
080    }