001
014
015 package com.liferay.portal.servlet.filters.secure;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.servlet.HttpHeaders;
020 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
021 import com.liferay.portal.kernel.util.GetterUtil;
022 import com.liferay.portal.kernel.util.Http;
023 import com.liferay.portal.kernel.util.HttpUtil;
024 import com.liferay.portal.kernel.util.StringBundler;
025 import com.liferay.portal.kernel.util.StringPool;
026 import com.liferay.portal.kernel.util.StringUtil;
027 import com.liferay.portal.kernel.util.Validator;
028 import com.liferay.portal.model.User;
029 import com.liferay.portal.security.auth.AuthSettingsUtil;
030 import com.liferay.portal.security.auth.CompanyThreadLocal;
031 import com.liferay.portal.security.auth.PrincipalThreadLocal;
032 import com.liferay.portal.security.permission.PermissionChecker;
033 import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
034 import com.liferay.portal.security.permission.PermissionThreadLocal;
035 import com.liferay.portal.service.UserLocalServiceUtil;
036 import com.liferay.portal.servlet.filters.BasePortalFilter;
037 import com.liferay.portal.util.Portal;
038 import com.liferay.portal.util.PortalInstances;
039 import com.liferay.portal.util.PortalUtil;
040 import com.liferay.portal.util.PropsUtil;
041 import com.liferay.portal.util.WebKeys;
042
043 import java.util.HashSet;
044 import java.util.Set;
045
046 import javax.servlet.FilterChain;
047 import javax.servlet.FilterConfig;
048 import javax.servlet.http.HttpServletRequest;
049 import javax.servlet.http.HttpServletResponse;
050 import javax.servlet.http.HttpSession;
051
052
057 public class SecureFilter extends BasePortalFilter {
058
059 @Override
060 public void init(FilterConfig filterConfig) {
061 super.init(filterConfig);
062
063 _basicAuthEnabled = GetterUtil.getBoolean(
064 filterConfig.getInitParameter("basic_auth"));
065 _digestAuthEnabled = GetterUtil.getBoolean(
066 filterConfig.getInitParameter("digest_auth"));
067
068 String propertyPrefix = filterConfig.getInitParameter(
069 "portal_property_prefix");
070
071 String[] hostsAllowed = null;
072
073 if (Validator.isNull(propertyPrefix)) {
074 hostsAllowed = StringUtil.split(
075 filterConfig.getInitParameter("hosts.allowed"));
076 _httpsRequired = GetterUtil.getBoolean(
077 filterConfig.getInitParameter("https.required"));
078 }
079 else {
080 hostsAllowed = PropsUtil.getArray(propertyPrefix + "hosts.allowed");
081 _httpsRequired = GetterUtil.getBoolean(
082 PropsUtil.get(propertyPrefix + "https.required"));
083 }
084
085 for (String hostAllowed : hostsAllowed) {
086 _hostsAllowed.add(hostAllowed);
087 }
088
089 _usePermissionChecker = GetterUtil.getBoolean(
090 filterConfig.getInitParameter("use_permission_checker"));
091 }
092
093 protected HttpServletRequest basicAuth(
094 HttpServletRequest request, HttpServletResponse response)
095 throws Exception {
096
097 HttpSession session = request.getSession();
098
099 long userId = GetterUtil.getLong(
100 (String)session.getAttribute(_AUTHENTICATED_USER));
101
102 if (userId > 0) {
103 request = new ProtectedServletRequest(
104 request, String.valueOf(userId), HttpServletRequest.BASIC_AUTH);
105
106 initThreadLocals(request);
107 }
108 else {
109 try {
110 userId = PortalUtil.getBasicAuthUserId(request);
111 }
112 catch (Exception e) {
113 _log.error(e, e);
114 }
115
116 if (userId > 0) {
117 request = setCredentials(
118 request, session, userId, HttpServletRequest.BASIC_AUTH);
119 }
120 else {
121 response.setHeader(HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
122 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
123
124 return null;
125 }
126 }
127
128 return request;
129 }
130
131 protected HttpServletRequest digestAuth(
132 HttpServletRequest request, HttpServletResponse response)
133 throws Exception {
134
135 HttpSession session = request.getSession();
136
137 long userId = GetterUtil.getLong(
138 (String)session.getAttribute(_AUTHENTICATED_USER));
139
140 if (userId > 0) {
141 request = new ProtectedServletRequest(
142 request, String.valueOf(userId),
143 HttpServletRequest.DIGEST_AUTH);
144
145 initThreadLocals(request);
146 }
147 else {
148 try {
149 userId = PortalUtil.getDigestAuthUserId(request);
150 }
151 catch (Exception e) {
152 _log.error(e, e);
153 }
154
155 if (userId > 0) {
156 request = setCredentials(
157 request, session, userId, HttpServletRequest.DIGEST_AUTH);
158 }
159 else {
160
161
162
163 long companyId = PortalInstances.getCompanyId(request);
164
165 String remoteAddress = request.getRemoteAddr();
166
167 String nonce = NonceUtil.generate(companyId, remoteAddress);
168
169 StringBundler sb = new StringBundler(4);
170
171 sb.append(_DIGEST_REALM);
172 sb.append(", nonce=\"");
173 sb.append(nonce);
174 sb.append("\"");
175
176 response.setHeader(HttpHeaders.WWW_AUTHENTICATE, sb.toString());
177 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
178
179 return null;
180 }
181 }
182
183 return request;
184 }
185
186 protected void initThreadLocals(HttpServletRequest request)
187 throws Exception {
188
189 HttpSession session = request.getSession();
190
191 User user = (User)session.getAttribute(WebKeys.USER);
192
193 initThreadLocals(user);
194
195 PrincipalThreadLocal.setPassword(PortalUtil.getUserPassword(request));
196 }
197
198 protected void initThreadLocals(User user) throws Exception {
199 CompanyThreadLocal.setCompanyId(user.getCompanyId());
200
201 PrincipalThreadLocal.setName(user.getUserId());
202
203 if (!_usePermissionChecker) {
204 return;
205 }
206
207 PermissionChecker permissionChecker =
208 PermissionThreadLocal.getPermissionChecker();
209
210 if (permissionChecker != null) {
211 return;
212 }
213
214 permissionChecker = PermissionCheckerFactoryUtil.create(user);
215
216 PermissionThreadLocal.setPermissionChecker(permissionChecker);
217 }
218
219 @Override
220 protected void processFilter(
221 HttpServletRequest request, HttpServletResponse response,
222 FilterChain filterChain)
223 throws Exception {
224
225 String remoteAddr = request.getRemoteAddr();
226
227 if (AuthSettingsUtil.isAccessAllowed(request, _hostsAllowed)) {
228 if (_log.isDebugEnabled()) {
229 _log.debug("Access allowed for " + remoteAddr);
230 }
231 }
232 else {
233 if (_log.isWarnEnabled()) {
234 _log.warn("Access denied for " + remoteAddr);
235 }
236
237 response.sendError(
238 HttpServletResponse.SC_FORBIDDEN,
239 "Access denied for " + remoteAddr);
240
241 return;
242 }
243
244 if (_log.isDebugEnabled()) {
245 if (_httpsRequired) {
246 _log.debug("https is required");
247 }
248 else {
249 _log.debug("https is not required");
250 }
251 }
252
253 if (_httpsRequired && !request.isSecure()) {
254 if (_log.isDebugEnabled()) {
255 String completeURL = HttpUtil.getCompleteURL(request);
256
257 _log.debug("Securing " + completeURL);
258 }
259
260 StringBundler redirectURL = new StringBundler(5);
261
262 redirectURL.append(Http.HTTPS_WITH_SLASH);
263 redirectURL.append(request.getServerName());
264 redirectURL.append(request.getServletPath());
265
266 String queryString = request.getQueryString();
267
268 if (Validator.isNotNull(queryString)) {
269 redirectURL.append(StringPool.QUESTION);
270 redirectURL.append(request.getQueryString());
271 }
272
273 if (_log.isDebugEnabled()) {
274 _log.debug("Redirect to " + redirectURL);
275 }
276
277 response.sendRedirect(redirectURL.toString());
278 }
279 else {
280 if (_log.isDebugEnabled()) {
281 String completeURL = HttpUtil.getCompleteURL(request);
282
283 _log.debug("Not securing " + completeURL);
284 }
285
286 User user = PortalUtil.getUser(request);
287
288 if (user == null) {
289 user = PortalUtil.initUser(request);
290 }
291
292 initThreadLocals(user);
293
294 if (!user.isDefaultUser()) {
295 request = setCredentials(
296 request, request.getSession(), user.getUserId(), null);
297 }
298 else {
299 if (_digestAuthEnabled) {
300 request = digestAuth(request, response);
301 }
302 else if (_basicAuthEnabled) {
303 request = basicAuth(request, response);
304 }
305 }
306
307 if (request != null) {
308 processFilter(getClass(), request, response, filterChain);
309 }
310 }
311 }
312
313 protected HttpServletRequest setCredentials(
314 HttpServletRequest request, HttpSession session, long userId,
315 String authType)
316 throws Exception {
317
318 User user = UserLocalServiceUtil.getUser(userId);
319
320 String userIdString = String.valueOf(userId);
321
322 request = new ProtectedServletRequest(request, userIdString, authType);
323
324 session.setAttribute(WebKeys.USER, user);
325 session.setAttribute(_AUTHENTICATED_USER, userIdString);
326
327 initThreadLocals(request);
328
329 return request;
330 }
331
332 protected void setUsePermissionChecker(boolean usePermissionChecker) {
333 _usePermissionChecker = usePermissionChecker;
334 }
335
336 private static final String _AUTHENTICATED_USER =
337 SecureFilter.class + "_AUTHENTICATED_USER";
338
339 private static final String _BASIC_REALM =
340 "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
341
342 private static final String _DIGEST_REALM =
343 "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
344
345 private static Log _log = LogFactoryUtil.getLog(SecureFilter.class);
346
347 private boolean _basicAuthEnabled;
348 private boolean _digestAuthEnabled;
349 private Set<String> _hostsAllowed = new HashSet<String>();
350 private boolean _httpsRequired;
351 private boolean _usePermissionChecker;
352
353 }