001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.GetterUtil;
018    import com.liferay.portal.kernel.util.ParamUtil;
019    import com.liferay.portal.kernel.util.Validator;
020    import com.liferay.portal.kernel.util.WebKeys;
021    import com.liferay.portal.service.permission.PortletPermissionUtil;
022    import com.liferay.portal.util.PortalUtil;
023    import com.liferay.portal.util.PropsValues;
024    import com.liferay.portlet.SecurityPortletContainerWrapper;
025    import com.liferay.util.PwdGenerator;
026    
027    import javax.servlet.http.HttpServletRequest;
028    import javax.servlet.http.HttpServletRequestWrapper;
029    import javax.servlet.http.HttpSession;
030    
031    /**
032     * @author Amos Fong
033     */
034    public class SessionAuthToken implements AuthToken {
035    
036            @Override
037            public void check(HttpServletRequest request) throws PrincipalException {
038                    checkCSRFToken(
039                            request, SecurityPortletContainerWrapper.class.getName());
040            }
041    
042            @Override
043            public void checkCSRFToken(HttpServletRequest request, String origin)
044                    throws PrincipalException {
045    
046                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
047                            return;
048                    }
049    
050                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
051    
052                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
053                            return;
054                    }
055    
056                    long companyId = PortalUtil.getCompanyId(request);
057    
058                    if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
059                                    companyId, origin)) {
060    
061                            return;
062                    }
063    
064                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
065                            String ppid = ParamUtil.getString(request, "p_p_id");
066    
067                            String portletNamespace = PortalUtil.getPortletNamespace(ppid);
068    
069                            String strutsAction = ParamUtil.getString(
070                                    request, portletNamespace + "struts_action");
071    
072                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
073                                            companyId, ppid, strutsAction)) {
074    
075                                    return;
076                            }
077                    }
078    
079                    String csrfToken = ParamUtil.getString(request, "p_auth");
080    
081                    if (Validator.isNull(csrfToken)) {
082                            csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
083                    }
084    
085                    String sessionToken = getSessionAuthenticationToken(
086                            request, _CSRF, false);
087    
088                    if (!csrfToken.equals(sessionToken)) {
089                            throw new PrincipalException("Invalid authentication token");
090                    }
091            }
092    
093            @Override
094            public String getToken(HttpServletRequest request) {
095                    return getSessionAuthenticationToken(request, _CSRF, true);
096            }
097    
098            @Override
099            public String getToken(
100                    HttpServletRequest request, long plid, String portletId) {
101    
102                    return getSessionAuthenticationToken(
103                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
104                            true);
105            }
106    
107            @Override
108            public boolean isValidPortletInvocationToken(
109                    HttpServletRequest request, long plid, String portletId,
110                    String strutsAction, String tokenValue) {
111    
112                    long companyId = PortalUtil.getCompanyId(request);
113    
114                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
115                                    companyId, portletId, strutsAction)) {
116    
117                            return true;
118                    }
119    
120                    if (Validator.isNotNull(tokenValue)) {
121                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
122    
123                            String sessionToken = getSessionAuthenticationToken(
124                                    request, key, false);
125    
126                            if (Validator.isNotNull(sessionToken) &&
127                                    sessionToken.equals(tokenValue)) {
128    
129                                    return true;
130                            }
131                    }
132    
133                    return false;
134            }
135    
136            protected String getSessionAuthenticationToken(
137                    HttpServletRequest request, String key, boolean createToken) {
138    
139                    String sessionAuthenticationToken = null;
140    
141                    HttpServletRequest currentRequest = request;
142                    HttpSession session = null;
143                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
144    
145                    while (currentRequest instanceof HttpServletRequestWrapper) {
146                            HttpServletRequestWrapper httpServletRequestWrapper =
147                                    (HttpServletRequestWrapper)currentRequest;
148    
149                            session = currentRequest.getSession();
150    
151                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
152    
153                            if (Validator.isNotNull(sessionAuthenticationToken)) {
154                                    break;
155                            }
156    
157                            currentRequest =
158                                    (HttpServletRequest)httpServletRequestWrapper.getRequest();
159                    }
160    
161                    if (session == null) {
162                            session = currentRequest.getSession();
163    
164                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
165                    }
166    
167                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
168                            sessionAuthenticationToken = PwdGenerator.getPassword(
169                                    PropsValues.AUTH_TOKEN_LENGTH);
170    
171                            session.setAttribute(tokenKey, sessionAuthenticationToken);
172                    }
173    
174                    return sessionAuthenticationToken;
175            }
176    
177            private static final String _CSRF = "#CSRF";
178    
179    }