001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.servlet;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.io.ProtectedObjectInputStream;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.util.MethodHandler;
023    import com.liferay.portal.kernel.util.MethodKey;
024    import com.liferay.portal.kernel.util.ObjectValuePair;
025    import com.liferay.portal.security.ac.AccessControlThreadLocal;
026    import com.liferay.portal.security.auth.HttpPrincipal;
027    import com.liferay.portal.security.permission.PermissionChecker;
028    import com.liferay.portal.security.permission.PermissionThreadLocal;
029    
030    import java.io.IOException;
031    import java.io.ObjectInputStream;
032    import java.io.ObjectOutputStream;
033    
034    import java.lang.reflect.InvocationTargetException;
035    
036    import javax.servlet.http.HttpServlet;
037    import javax.servlet.http.HttpServletRequest;
038    import javax.servlet.http.HttpServletResponse;
039    
040    /**
041     * @author Michael Weisser
042     * @author Brian Wing Shun Chan
043     */
044    public class TunnelServlet extends HttpServlet {
045    
046            @Override
047            public void doPost(HttpServletRequest request, HttpServletResponse response)
048                    throws IOException {
049    
050                    PermissionChecker permissionChecker =
051                            PermissionThreadLocal.getPermissionChecker();
052    
053                    if ((permissionChecker == null) || !permissionChecker.isSignedIn()) {
054                            if (_log.isWarnEnabled()) {
055                                    _log.warn("Unauthenticated access is forbidden");
056                            }
057    
058                            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
059    
060                            return;
061                    }
062    
063                    ObjectInputStream ois;
064    
065                    try {
066                            ois = new ProtectedObjectInputStream(request.getInputStream());
067                    }
068                    catch (IOException ioe) {
069                            if (_log.isWarnEnabled()) {
070                                    _log.warn(ioe, ioe);
071                            }
072    
073                            return;
074                    }
075    
076                    Object returnObj = null;
077    
078                    boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
079    
080                    try {
081                            AccessControlThreadLocal.setRemoteAccess(true);
082    
083                            ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
084                                    (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
085    
086                            MethodHandler methodHandler = ovp.getValue();
087    
088                            if (methodHandler != null) {
089                                    MethodKey methodKey = methodHandler.getMethodKey();
090    
091                                    if (!isValidRequest(methodKey.getDeclaringClass())) {
092                                            return;
093                                    }
094    
095                                    returnObj = methodHandler.invoke(true);
096                            }
097                    }
098                    catch (InvocationTargetException ite) {
099                            returnObj = ite.getCause();
100    
101                            if (!(returnObj instanceof PortalException)) {
102                                    _log.error(ite, ite);
103    
104                                    if (returnObj != null) {
105                                            Throwable throwable = (Throwable)returnObj;
106    
107                                            returnObj = new SystemException(throwable.getMessage());
108                                    }
109                                    else {
110                                            returnObj = new SystemException();
111                                    }
112                            }
113                    }
114                    catch (Exception e) {
115                            _log.error(e, e);
116                    }
117                    finally {
118                            AccessControlThreadLocal.setRemoteAccess(remoteAccess);
119                    }
120    
121                    if (returnObj != null) {
122                            try {
123                                    ObjectOutputStream oos = new ObjectOutputStream(
124                                            response.getOutputStream());
125    
126                                    oos.writeObject(returnObj);
127    
128                                    oos.flush();
129                                    oos.close();
130                            }
131                            catch (IOException ioe) {
132                                    _log.error(ioe, ioe);
133    
134                                    throw ioe;
135                            }
136                    }
137            }
138    
139            protected boolean isValidRequest(Class<?> clazz) {
140                    String className = clazz.getName();
141    
142                    if (className.contains(".service.") &&
143                            className.endsWith("ServiceUtil") &&
144                            !className.endsWith("LocalServiceUtil")) {
145    
146                            return true;
147                    }
148                    else {
149                            return false;
150                    }
151            }
152    
153            private static Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
154    
155    }