001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.util.MethodHandler;
022    import com.liferay.portal.kernel.util.MethodKey;
023    import com.liferay.portal.kernel.util.ObjectValuePair;
024    import com.liferay.portal.security.ac.AccessControlThreadLocal;
025    import com.liferay.portal.security.auth.HttpPrincipal;
026    
027    import java.io.IOException;
028    import java.io.ObjectInputStream;
029    import java.io.ObjectOutputStream;
030    
031    import java.lang.reflect.InvocationTargetException;
032    
033    import javax.servlet.http.HttpServlet;
034    import javax.servlet.http.HttpServletRequest;
035    import javax.servlet.http.HttpServletResponse;
036    
037    /**
038     * @author Michael Weisser
039     * @author Brian Wing Shun Chan
040     */
041    public class TunnelServlet extends HttpServlet {
042    
043            @Override
044            public void doPost(HttpServletRequest request, HttpServletResponse response)
045                    throws IOException {
046    
047                    ObjectInputStream ois;
048    
049                    try {
050                            ois = new ObjectInputStream(request.getInputStream());
051                    }
052                    catch (IOException ioe) {
053                            if (_log.isWarnEnabled()) {
054                                    _log.warn(ioe, ioe);
055                            }
056    
057                            return;
058                    }
059    
060                    Object returnObj = null;
061    
062                    boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
063    
064                    try {
065                            AccessControlThreadLocal.setRemoteAccess(true);
066    
067                            ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
068                                    (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
069    
070                            MethodHandler methodHandler = ovp.getValue();
071    
072                            if (methodHandler != null) {
073                                    MethodKey methodKey = methodHandler.getMethodKey();
074    
075                                    if (!isValidRequest(methodKey.getDeclaringClass())) {
076                                            return;
077                                    }
078    
079                                    returnObj = methodHandler.invoke(true);
080                            }
081                    }
082                    catch (InvocationTargetException ite) {
083                            returnObj = ite.getCause();
084    
085                            if (!(returnObj instanceof PortalException)) {
086                                    _log.error(ite, ite);
087    
088                                    if (returnObj != null) {
089                                            Throwable throwable = (Throwable)returnObj;
090    
091                                            returnObj = new SystemException(throwable.getMessage());
092                                    }
093                                    else {
094                                            returnObj = new SystemException();
095                                    }
096                            }
097                    }
098                    catch (Exception e) {
099                            _log.error(e, e);
100                    }
101                    finally {
102                            AccessControlThreadLocal.setRemoteAccess(remoteAccess);
103                    }
104    
105                    if (returnObj != null) {
106                            try {
107                                    ObjectOutputStream oos = new ObjectOutputStream(
108                                            response.getOutputStream());
109    
110                                    oos.writeObject(returnObj);
111    
112                                    oos.flush();
113                                    oos.close();
114                            }
115                            catch (IOException ioe) {
116                                    _log.error(ioe, ioe);
117    
118                                    throw ioe;
119                            }
120                    }
121            }
122    
123            protected boolean isValidRequest(Class<?> clazz) {
124                    String className = clazz.getName();
125    
126                    if (className.contains(".service.") &&
127                            className.endsWith("ServiceUtil") &&
128                            !className.endsWith("LocalServiceUtil")) {
129    
130                            return true;
131                    }
132                    else {
133                            return false;
134                    }
135            }
136    
137            private static Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
138    
139    }