001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.servlet;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.io.ProtectedObjectInputStream;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.util.MethodHandler;
023    import com.liferay.portal.kernel.util.MethodKey;
024    import com.liferay.portal.kernel.util.ObjectValuePair;
025    import com.liferay.portal.security.ac.AccessControlThreadLocal;
026    import com.liferay.portal.security.auth.HttpPrincipal;
027    
028    import java.io.IOException;
029    import java.io.ObjectInputStream;
030    import java.io.ObjectOutputStream;
031    
032    import java.lang.reflect.InvocationTargetException;
033    
034    import javax.servlet.http.HttpServlet;
035    import javax.servlet.http.HttpServletRequest;
036    import javax.servlet.http.HttpServletResponse;
037    
038    /**
039     * @author Michael Weisser
040     * @author Brian Wing Shun Chan
041     */
042    public class TunnelServlet extends HttpServlet {
043    
044            @Override
045            public void doPost(HttpServletRequest request, HttpServletResponse response)
046                    throws IOException {
047    
048                    ObjectInputStream ois;
049    
050                    try {
051                            ois = new ProtectedObjectInputStream(request.getInputStream());
052                    }
053                    catch (IOException ioe) {
054                            if (_log.isWarnEnabled()) {
055                                    _log.warn(ioe, ioe);
056                            }
057    
058                            return;
059                    }
060    
061                    Object returnObj = null;
062    
063                    boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
064    
065                    try {
066                            AccessControlThreadLocal.setRemoteAccess(true);
067    
068                            ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
069                                    (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
070    
071                            MethodHandler methodHandler = ovp.getValue();
072    
073                            if (methodHandler != null) {
074                                    MethodKey methodKey = methodHandler.getMethodKey();
075    
076                                    if (!isValidRequest(methodKey.getDeclaringClass())) {
077                                            return;
078                                    }
079    
080                                    returnObj = methodHandler.invoke(true);
081                            }
082                    }
083                    catch (InvocationTargetException ite) {
084                            returnObj = ite.getCause();
085    
086                            if (!(returnObj instanceof PortalException)) {
087                                    _log.error(ite, ite);
088    
089                                    if (returnObj != null) {
090                                            Throwable throwable = (Throwable)returnObj;
091    
092                                            returnObj = new SystemException(throwable.getMessage());
093                                    }
094                                    else {
095                                            returnObj = new SystemException();
096                                    }
097                            }
098                    }
099                    catch (Exception e) {
100                            _log.error(e, e);
101                    }
102                    finally {
103                            AccessControlThreadLocal.setRemoteAccess(remoteAccess);
104                    }
105    
106                    if (returnObj != null) {
107                            try {
108                                    ObjectOutputStream oos = new ObjectOutputStream(
109                                            response.getOutputStream());
110    
111                                    oos.writeObject(returnObj);
112    
113                                    oos.flush();
114                                    oos.close();
115                            }
116                            catch (IOException ioe) {
117                                    _log.error(ioe, ioe);
118    
119                                    throw ioe;
120                            }
121                    }
122            }
123    
124            protected boolean isValidRequest(Class<?> clazz) {
125                    String className = clazz.getName();
126    
127                    if (className.contains(".service.") &&
128                            className.endsWith("ServiceUtil") &&
129                            !className.endsWith("LocalServiceUtil")) {
130    
131                            return true;
132                    }
133                    else {
134                            return false;
135                    }
136            }
137    
138            private static Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
139    
140    }