001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.GetterUtil;
018 import com.liferay.portal.kernel.util.ParamUtil;
019 import com.liferay.portal.kernel.util.Validator;
020 import com.liferay.portal.kernel.util.WebKeys;
021 import com.liferay.portal.service.permission.PortletPermissionUtil;
022 import com.liferay.portal.util.PortalUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portlet.SecurityPortletContainerWrapper;
025 import com.liferay.util.PwdGenerator;
026
027 import javax.servlet.http.HttpServletRequest;
028 import javax.servlet.http.HttpServletRequestWrapper;
029 import javax.servlet.http.HttpSession;
030
031
034 public class SessionAuthToken implements AuthToken {
035
036 @Override
037 public void check(HttpServletRequest request) throws PrincipalException {
038 checkCSRFToken(
039 request, SecurityPortletContainerWrapper.class.getName());
040 }
041
042 @Override
043 public void checkCSRFToken(HttpServletRequest request, String origin)
044 throws PrincipalException {
045
046 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
047 return;
048 }
049
050 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
051
052 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
053 return;
054 }
055
056 long companyId = PortalUtil.getCompanyId(request);
057
058 if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
059 companyId, origin)) {
060
061 return;
062 }
063
064 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
065 String ppid = ParamUtil.getString(request, "p_p_id");
066
067 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
068
069 String strutsAction = ParamUtil.getString(
070 request, portletNamespace + "struts_action");
071
072 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
073 companyId, ppid, strutsAction)) {
074
075 return;
076 }
077 }
078
079 String csrfToken = ParamUtil.getString(request, "p_auth");
080
081 if (Validator.isNull(csrfToken)) {
082 csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
083 }
084
085 String sessionToken = getSessionAuthenticationToken(
086 request, _CSRF, false);
087
088 if (!csrfToken.equals(sessionToken)) {
089 throw new PrincipalException("Invalid authentication token");
090 }
091 }
092
093 @Override
094 public String getToken(HttpServletRequest request) {
095 return getSessionAuthenticationToken(request, _CSRF, true);
096 }
097
098 @Override
099 public String getToken(
100 HttpServletRequest request, long plid, String portletId) {
101
102 return getSessionAuthenticationToken(
103 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
104 true);
105 }
106
107 @Override
108 public boolean isValidPortletInvocationToken(
109 HttpServletRequest request, long plid, String portletId,
110 String strutsAction, String tokenValue) {
111
112 long companyId = PortalUtil.getCompanyId(request);
113
114 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
115 companyId, portletId, strutsAction)) {
116
117 return true;
118 }
119
120 if (Validator.isNotNull(tokenValue)) {
121 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
122
123 String sessionToken = getSessionAuthenticationToken(
124 request, key, false);
125
126 if (Validator.isNotNull(sessionToken) &&
127 sessionToken.equals(tokenValue)) {
128
129 return true;
130 }
131 }
132
133 return false;
134 }
135
136 protected String getSessionAuthenticationToken(
137 HttpServletRequest request, String key, boolean createToken) {
138
139 String sessionAuthenticationToken = null;
140
141 HttpServletRequest currentRequest = request;
142 HttpSession session = null;
143 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
144
145 while (currentRequest instanceof HttpServletRequestWrapper) {
146 HttpServletRequestWrapper httpServletRequestWrapper =
147 (HttpServletRequestWrapper)currentRequest;
148
149 session = currentRequest.getSession();
150
151 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
152
153 if (Validator.isNotNull(sessionAuthenticationToken)) {
154 break;
155 }
156
157 currentRequest =
158 (HttpServletRequest)httpServletRequestWrapper.getRequest();
159 }
160
161 if (session == null) {
162 session = currentRequest.getSession();
163
164 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
165 }
166
167 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
168 sessionAuthenticationToken = PwdGenerator.getPassword(
169 PropsValues.AUTH_TOKEN_LENGTH);
170
171 session.setAttribute(tokenKey, sessionAuthenticationToken);
172 }
173
174 return sessionAuthenticationToken;
175 }
176
177 private static final String _CSRF = "#CSRF";
178
179 }