1
22
23 package com.liferay.filters.secure;
24
25 import com.liferay.portal.kernel.log.Log;
26 import com.liferay.portal.kernel.log.LogFactoryUtil;
27 import com.liferay.portal.kernel.servlet.BaseFilter;
28 import com.liferay.portal.kernel.util.GetterUtil;
29 import com.liferay.portal.kernel.util.StringMaker;
30 import com.liferay.portal.kernel.util.StringPool;
31 import com.liferay.portal.kernel.util.StringUtil;
32 import com.liferay.portal.kernel.util.Validator;
33 import com.liferay.portal.util.PropsUtil;
34 import com.liferay.util.CollectionFactory;
35 import com.liferay.util.Http;
36
37 import java.io.IOException;
38
39 import java.util.Set;
40
41 import javax.servlet.FilterChain;
42 import javax.servlet.FilterConfig;
43 import javax.servlet.ServletException;
44 import javax.servlet.ServletRequest;
45 import javax.servlet.ServletResponse;
46 import javax.servlet.http.HttpServletRequest;
47 import javax.servlet.http.HttpServletResponse;
48
49
56 public class SecureFilter extends BaseFilter {
57
58 public void init(FilterConfig config) throws ServletException {
59 super.init(config);
60
61 String propertyPrefix =
62 config.getInitParameter("portal_property_prefix");
63
64 String[] hostsAllowedArray = null;
65
66 if (Validator.isNull(propertyPrefix)) {
67 hostsAllowedArray = StringUtil.split(
68 config.getInitParameter("hosts.allowed"));
69 _httpsRequired = GetterUtil.getBoolean(
70 config.getInitParameter("https.required"));
71 }
72 else {
73 hostsAllowedArray = PropsUtil.getArray(
74 propertyPrefix + "hosts.allowed");
75 _httpsRequired = GetterUtil.getBoolean(
76 PropsUtil.get(propertyPrefix + "https.required"));
77 }
78
79 for (int i = 0; i < hostsAllowedArray.length; i++) {
80 _hostsAllowed.add(hostsAllowedArray[i]);
81 }
82 }
83
84 public void doFilter(
85 ServletRequest req, ServletResponse res, FilterChain chain)
86 throws IOException, ServletException {
87
88 HttpServletRequest httpReq = (HttpServletRequest)req;
89 HttpServletResponse httpRes = (HttpServletResponse)res;
90
91 String remoteAddr = httpReq.getRemoteAddr();
92
93 if (isAccessAllowed(httpReq)) {
94 if (_log.isDebugEnabled()) {
95 _log.debug("Access allowed for " + remoteAddr);
96 }
97 }
98 else {
99 if (_log.isErrorEnabled()) {
100 _log.error("Access denied for " + remoteAddr);
101 }
102
103 httpRes.sendError(
104 HttpServletResponse.SC_FORBIDDEN,
105 "Access denied for " + remoteAddr);
106
107 return;
108 }
109
110 if (_log.isDebugEnabled()) {
111 if (_httpsRequired) {
112 _log.debug("https is required");
113 }
114 else {
115 _log.debug("https is not required");
116 }
117 }
118
119 String completeURL = Http.getCompleteURL(httpReq);
120
121 if (_httpsRequired && !httpReq.isSecure()) {
122 if (_log.isDebugEnabled()) {
123 _log.debug("Securing " + completeURL);
124 }
125
126 StringMaker redirectURL = new StringMaker();
127
128 redirectURL.append(Http.HTTPS_WITH_SLASH);
129 redirectURL.append(httpReq.getServerName());
130 redirectURL.append(httpReq.getServletPath());
131
132 String queryString = httpReq.getQueryString();
133
134 if (Validator.isNotNull(queryString)) {
135 redirectURL.append(StringPool.QUESTION);
136 redirectURL.append(httpReq.getQueryString());
137 }
138
139 if (_log.isDebugEnabled()) {
140 _log.debug("Redirect to " + redirectURL);
141 }
142
143 httpRes.sendRedirect(redirectURL.toString());
144 }
145 else {
146 if (_log.isDebugEnabled()) {
147 _log.debug("Not securing " + completeURL);
148 }
149
150 doFilter(SecureFilter.class, req, res, chain);
151 }
152 }
153
154 protected boolean isAccessAllowed(HttpServletRequest req) {
155 String remoteAddr = req.getRemoteAddr();
156 String serverIp = req.getServerName();
157
158 if ((_hostsAllowed.size() > 0) &&
159 (!_hostsAllowed.contains(remoteAddr))) {
160
161 if ((serverIp.equals(remoteAddr)) &&
162 (_hostsAllowed.contains(_SERVER_IP))) {
163
164 return true;
165 }
166
167 return false;
168 }
169 else {
170 return true;
171 }
172 }
173
174 private static final String _SERVER_IP = "SERVER_IP";
175
176 private static Log _log = LogFactoryUtil.getLog(SecureFilter.class);
177
178 private Set _hostsAllowed = CollectionFactory.getHashSet();
179 private boolean _httpsRequired;
180
181 }