001
014
015 package com.liferay.portal.servlet;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.exception.SystemException;
019 import com.liferay.portal.kernel.io.ProtectedObjectInputStream;
020 import com.liferay.portal.kernel.log.Log;
021 import com.liferay.portal.kernel.log.LogFactoryUtil;
022 import com.liferay.portal.kernel.util.MethodHandler;
023 import com.liferay.portal.kernel.util.MethodKey;
024 import com.liferay.portal.kernel.util.ObjectValuePair;
025 import com.liferay.portal.security.ac.AccessControlThreadLocal;
026 import com.liferay.portal.security.auth.HttpPrincipal;
027 import com.liferay.portal.security.permission.PermissionChecker;
028 import com.liferay.portal.security.permission.PermissionThreadLocal;
029
030 import java.io.IOException;
031 import java.io.ObjectInputStream;
032 import java.io.ObjectOutputStream;
033
034 import java.lang.reflect.InvocationTargetException;
035
036 import javax.servlet.http.HttpServlet;
037 import javax.servlet.http.HttpServletRequest;
038 import javax.servlet.http.HttpServletResponse;
039
040
044 public class TunnelServlet extends HttpServlet {
045
046 @Override
047 public void doPost(HttpServletRequest request, HttpServletResponse response)
048 throws IOException {
049
050 PermissionChecker permissionChecker =
051 PermissionThreadLocal.getPermissionChecker();
052
053 if ((permissionChecker == null) || !permissionChecker.isSignedIn()) {
054 if (_log.isWarnEnabled()) {
055 _log.warn("Unauthenticated access is forbidden");
056 }
057
058 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
059
060 return;
061 }
062
063 ObjectInputStream ois;
064
065 try {
066 ois = new ProtectedObjectInputStream(request.getInputStream());
067 }
068 catch (IOException ioe) {
069 if (_log.isWarnEnabled()) {
070 _log.warn(ioe, ioe);
071 }
072
073 return;
074 }
075
076 Object returnObj = null;
077
078 boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
079
080 try {
081 AccessControlThreadLocal.setRemoteAccess(true);
082
083 ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
084 (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
085
086 MethodHandler methodHandler = ovp.getValue();
087
088 if (methodHandler != null) {
089 MethodKey methodKey = methodHandler.getMethodKey();
090
091 if (!isValidRequest(methodKey.getDeclaringClass())) {
092 return;
093 }
094
095 returnObj = methodHandler.invoke(true);
096 }
097 }
098 catch (InvocationTargetException ite) {
099 returnObj = ite.getCause();
100
101 if (!(returnObj instanceof PortalException)) {
102 _log.error(ite, ite);
103
104 if (returnObj != null) {
105 Throwable throwable = (Throwable)returnObj;
106
107 returnObj = new SystemException(throwable.getMessage());
108 }
109 else {
110 returnObj = new SystemException();
111 }
112 }
113 }
114 catch (Exception e) {
115 _log.error(e, e);
116 }
117 finally {
118 AccessControlThreadLocal.setRemoteAccess(remoteAccess);
119 }
120
121 if (returnObj != null) {
122 try {
123 ObjectOutputStream oos = new ObjectOutputStream(
124 response.getOutputStream());
125
126 oos.writeObject(returnObj);
127
128 oos.flush();
129 oos.close();
130 }
131 catch (IOException ioe) {
132 _log.error(ioe, ioe);
133
134 throw ioe;
135 }
136 }
137 }
138
139 protected boolean isValidRequest(Class<?> clazz) {
140 String className = clazz.getName();
141
142 if (className.contains(".service.") &&
143 className.endsWith("ServiceUtil") &&
144 !className.endsWith("LocalServiceUtil")) {
145
146 return true;
147 }
148 else {
149 return false;
150 }
151 }
152
153 private static Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
154
155 }