001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.CharPool;
018    import com.liferay.portal.kernel.util.ParamUtil;
019    import com.liferay.portal.kernel.util.Validator;
020    import com.liferay.portal.kernel.util.WebKeys;
021    import com.liferay.portal.model.Portlet;
022    import com.liferay.portal.model.PortletConstants;
023    import com.liferay.portal.service.PortletLocalServiceUtil;
024    import com.liferay.portal.service.permission.PortletPermissionUtil;
025    import com.liferay.portal.util.PortalUtil;
026    import com.liferay.portal.util.PropsValues;
027    import com.liferay.util.Encryptor;
028    import com.liferay.util.PwdGenerator;
029    
030    import java.util.Set;
031    
032    import javax.servlet.http.HttpServletRequest;
033    import javax.servlet.http.HttpSession;
034    
035    /**
036     * @author Amos Fong
037     */
038    public class SessionAuthToken implements AuthToken {
039    
040            public void check(HttpServletRequest request) throws PrincipalException {
041                    if (isIgnoreAction(request) || isIgnorePortlet(request)) {
042                            return;
043                    }
044    
045                    String requestAuthenticationToken = ParamUtil.getString(
046                            request, "p_auth");
047    
048                    String sessionAuthenticationToken = getSessionAuthenticationToken(
049                            request, _PORTAL);
050    
051                    String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
052                            PropsValues.AUTH_TOKEN_SHARED_SECRET);
053    
054                    String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
055                            request, "p_auth_secret");
056    
057                    if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
058                            !requestAuthenticatonTokenSharedSecret.equals(
059                                    propertiesAuthenticatonTokenSharedSecret)) {
060    
061                            throw new PrincipalException("Invalid authentication token");
062                    }
063            }
064    
065            public String getToken(HttpServletRequest request) {
066                    return getSessionAuthenticationToken(request, _PORTAL);
067            }
068    
069            public String getToken(
070                    HttpServletRequest request, long plid, String portletId) {
071    
072                    return getSessionAuthenticationToken(
073                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
074            }
075    
076            protected String getSessionAuthenticationToken(
077                    HttpServletRequest request, String key) {
078    
079                    HttpSession session = request.getSession();
080    
081                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
082    
083                    String sessionAuthenticationToken = (String)session.getAttribute(
084                            tokenKey);
085    
086                    if (Validator.isNull(sessionAuthenticationToken)) {
087                            sessionAuthenticationToken = PwdGenerator.getPassword();
088    
089                            session.setAttribute(tokenKey, sessionAuthenticationToken);
090                    }
091    
092                    return sessionAuthenticationToken;
093            }
094    
095            protected boolean isIgnoreAction(HttpServletRequest request) {
096                    long companyId = PortalUtil.getCompanyId(request);
097    
098                    String ppid = ParamUtil.getString(request, "p_p_id");
099    
100                    String portletNamespace = PortalUtil.getPortletNamespace(ppid);
101    
102                    String strutsAction = ParamUtil.getString(
103                            request, portletNamespace + "struts_action");
104    
105                    return isIgnoreAction(companyId, ppid, strutsAction);
106            }
107    
108            protected boolean isIgnoreAction(
109                    long companyId, String ppid, String strutsAction) {
110    
111                    Set<String> authTokenIgnoreActions =
112                            PortalUtil.getAuthTokenIgnoreActions();
113    
114                    if (!authTokenIgnoreActions.contains(strutsAction)) {
115                            return false;
116                    }
117    
118                    try {
119                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
120                                    companyId, ppid);
121    
122                            if (portlet == null) {
123                                    return false;
124                            }
125    
126                            String strutsPath = strutsAction.substring(
127                                    1, strutsAction.lastIndexOf(CharPool.SLASH));
128    
129                            if (strutsPath.equals(portlet.getStrutsPath()) ||
130                                    strutsPath.equals(portlet.getParentStrutsPath())) {
131    
132                                    return true;
133                            }
134                    }
135                    catch (Exception e) {
136                    }
137    
138                    return false;
139            }
140    
141            protected boolean isIgnorePortlet(HttpServletRequest request) {
142                    String ppid = ParamUtil.getString(request, "p_p_id");
143    
144                    return isIgnorePortlet(ppid);
145            }
146    
147            protected boolean isIgnorePortlet(String portletId) {
148                    String rootPortletId = PortletConstants.getRootPortletId(portletId);
149    
150                    Set<String> authTokenIgnorePortlets =
151                            PortalUtil.getAuthTokenIgnorePortlets();
152    
153                    return authTokenIgnorePortlets.contains(rootPortletId);
154            }
155    
156            private static final String _PORTAL = "PORTAL";
157    
158    }