001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.CharPool;
018 import com.liferay.portal.kernel.util.ParamUtil;
019 import com.liferay.portal.kernel.util.Validator;
020 import com.liferay.portal.kernel.util.WebKeys;
021 import com.liferay.portal.model.Portlet;
022 import com.liferay.portal.model.PortletConstants;
023 import com.liferay.portal.service.PortletLocalServiceUtil;
024 import com.liferay.portal.service.permission.PortletPermissionUtil;
025 import com.liferay.portal.util.PortalUtil;
026 import com.liferay.portal.util.PropsValues;
027 import com.liferay.util.Encryptor;
028 import com.liferay.util.PwdGenerator;
029
030 import java.util.Set;
031
032 import javax.servlet.http.HttpServletRequest;
033 import javax.servlet.http.HttpSession;
034
035
038 public class SessionAuthToken implements AuthToken {
039
040 public void check(HttpServletRequest request) throws PrincipalException {
041 if (isIgnoreAction(request) || isIgnorePortlet(request)) {
042 return;
043 }
044
045 String requestAuthenticationToken = ParamUtil.getString(
046 request, "p_auth");
047
048 String sessionAuthenticationToken = getSessionAuthenticationToken(
049 request, _PORTAL);
050
051 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
052 PropsValues.AUTH_TOKEN_SHARED_SECRET);
053
054 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
055 request, "p_auth_secret");
056
057 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
058 !requestAuthenticatonTokenSharedSecret.equals(
059 propertiesAuthenticatonTokenSharedSecret)) {
060
061 throw new PrincipalException("Invalid authentication token");
062 }
063 }
064
065 public String getToken(HttpServletRequest request) {
066 return getSessionAuthenticationToken(request, _PORTAL);
067 }
068
069 public String getToken(
070 HttpServletRequest request, long plid, String portletId) {
071
072 return getSessionAuthenticationToken(
073 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
074 }
075
076 protected String getSessionAuthenticationToken(
077 HttpServletRequest request, String key) {
078
079 HttpSession session = request.getSession();
080
081 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
082
083 String sessionAuthenticationToken = (String)session.getAttribute(
084 tokenKey);
085
086 if (Validator.isNull(sessionAuthenticationToken)) {
087 sessionAuthenticationToken = PwdGenerator.getPassword();
088
089 session.setAttribute(tokenKey, sessionAuthenticationToken);
090 }
091
092 return sessionAuthenticationToken;
093 }
094
095 protected boolean isIgnoreAction(HttpServletRequest request) {
096 long companyId = PortalUtil.getCompanyId(request);
097
098 String ppid = ParamUtil.getString(request, "p_p_id");
099
100 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
101
102 String strutsAction = ParamUtil.getString(
103 request, portletNamespace + "struts_action");
104
105 return isIgnoreAction(companyId, ppid, strutsAction);
106 }
107
108 protected boolean isIgnoreAction(
109 long companyId, String ppid, String strutsAction) {
110
111 Set<String> authTokenIgnoreActions =
112 PortalUtil.getAuthTokenIgnoreActions();
113
114 if (!authTokenIgnoreActions.contains(strutsAction)) {
115 return false;
116 }
117
118 try {
119 Portlet portlet = PortletLocalServiceUtil.getPortletById(
120 companyId, ppid);
121
122 if (portlet == null) {
123 return false;
124 }
125
126 String strutsPath = strutsAction.substring(
127 1, strutsAction.lastIndexOf(CharPool.SLASH));
128
129 if (strutsPath.equals(portlet.getStrutsPath()) ||
130 strutsPath.equals(portlet.getParentStrutsPath())) {
131
132 return true;
133 }
134 }
135 catch (Exception e) {
136 }
137
138 return false;
139 }
140
141 protected boolean isIgnorePortlet(HttpServletRequest request) {
142 String ppid = ParamUtil.getString(request, "p_p_id");
143
144 return isIgnorePortlet(ppid);
145 }
146
147 protected boolean isIgnorePortlet(String portletId) {
148 String rootPortletId = PortletConstants.getRootPortletId(portletId);
149
150 Set<String> authTokenIgnorePortlets =
151 PortalUtil.getAuthTokenIgnorePortlets();
152
153 return authTokenIgnorePortlets.contains(rootPortletId);
154 }
155
156 private static final String _PORTAL = "PORTAL";
157
158 }