001
014
015 package com.liferay.portal.security.ac;
016
017 import com.liferay.portal.kernel.util.MapUtil;
018 import com.liferay.portal.kernel.util.SetUtil;
019 import com.liferay.portal.kernel.util.StringUtil;
020 import com.liferay.portal.security.auth.AccessControlContext;
021 import com.liferay.portal.security.auth.AuthSettingsUtil;
022 import com.liferay.portal.security.permission.PermissionChecker;
023 import com.liferay.portal.security.permission.PermissionThreadLocal;
024
025 import java.lang.reflect.Method;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030
031
037 public class AccessControlAdvisorImpl implements AccessControlAdvisor {
038
039 @Override
040 public void accept(Method method, AccessControlled accessControlled)
041 throws SecurityException {
042
043 if (accessControlled.hostAllowedValidationEnabled()) {
044 checkAllowedHosts();
045 }
046
047 PermissionChecker permissionChecker =
048 PermissionThreadLocal.getPermissionChecker();
049
050 if (!accessControlled.guestAccessEnabled() &&
051 ((permissionChecker == null) || !permissionChecker.isSignedIn())) {
052
053 throw new SecurityException("Authenticated access required");
054 }
055 }
056
057 protected void checkAllowedHosts() {
058 AccessControlContext accessControlContext =
059 AccessControlUtil.getAccessControlContext();
060
061 if (accessControlContext == null) {
062 return;
063 }
064
065 HttpServletRequest request = accessControlContext.getRequest();
066
067 String hostsAllowedString = MapUtil.getString(
068 accessControlContext.getSettings(), "hosts.allowed");
069
070 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
071
072 Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
073
074 if (!AuthSettingsUtil.isAccessAllowed(request, hostsAllowedSet)) {
075 throw new SecurityException(
076 "Access denied for " + request.getRemoteAddr());
077 }
078 }
079
080 }