001    /**
002     * Copyright (c) 2000-2011 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.ParamUtil;
018    import com.liferay.portal.kernel.util.Validator;
019    import com.liferay.portal.kernel.util.WebKeys;
020    import com.liferay.portal.model.PortletConstants;
021    import com.liferay.portal.service.permission.PortletPermissionUtil;
022    import com.liferay.portal.util.PortalUtil;
023    import com.liferay.portal.util.PropsValues;
024    import com.liferay.util.Encryptor;
025    import com.liferay.util.PwdGenerator;
026    
027    import java.util.Set;
028    
029    import javax.servlet.http.HttpServletRequest;
030    import javax.servlet.http.HttpSession;
031    
032    /**
033     * @author Amos Fong
034     */
035    public class SessionAuthToken implements AuthToken {
036    
037            public void check(HttpServletRequest request) throws PrincipalException {
038                    if (isIgnoreAction(request) || isIgnorePortlet(request)) {
039                            return;
040                    }
041    
042                    String requestAuthenticationToken = ParamUtil.getString(
043                            request, "p_auth");
044    
045                    String sessionAuthenticationToken = getSessionAuthenticationToken(
046                            request, _PORTAL);
047    
048                    String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
049                            PropsValues.AUTH_TOKEN_SHARED_SECRET);
050    
051                    String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
052                            request, "p_auth_secret");
053    
054                    if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
055                            !requestAuthenticatonTokenSharedSecret.equals(
056                                    propertiesAuthenticatonTokenSharedSecret)) {
057    
058                            throw new PrincipalException("Invalid authentication token");
059                    }
060            }
061    
062            public String getToken(HttpServletRequest request) {
063                    return getSessionAuthenticationToken(request, _PORTAL);
064            }
065    
066            public String getToken(
067                    HttpServletRequest request, long plid, String portletId) {
068    
069                    return getSessionAuthenticationToken(
070                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
071            }
072    
073            protected String getSessionAuthenticationToken(
074                    HttpServletRequest request, String key) {
075    
076                    HttpSession session = request.getSession();
077    
078                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
079    
080                    String sessionAuthenticationToken = (String)session.getAttribute(
081                            tokenKey);
082    
083                    if (Validator.isNull(sessionAuthenticationToken)) {
084                            sessionAuthenticationToken = PwdGenerator.getPassword();
085    
086                            session.setAttribute(tokenKey, sessionAuthenticationToken);
087                    }
088    
089                    return sessionAuthenticationToken;
090            }
091    
092            protected boolean isIgnoreAction(HttpServletRequest request) {
093                    String ppid = ParamUtil.getString(request, "p_p_id");
094    
095                    String portletNamespace = PortalUtil.getPortletNamespace(ppid);
096    
097                    String strutsAction = ParamUtil.getString(
098                            request, portletNamespace + "struts_action");
099    
100                    return isIgnoreAction(strutsAction);
101            }
102    
103            protected boolean isIgnoreAction(String strutsAction) {
104                    Set<String> authTokenIgnoreActions =
105                            PortalUtil.getAuthTokenIgnoreActions();
106    
107                    return authTokenIgnoreActions.contains(strutsAction);
108            }
109    
110            protected boolean isIgnorePortlet(HttpServletRequest request) {
111                    String ppid = ParamUtil.getString(request, "p_p_id");
112    
113                    return isIgnorePortlet(ppid);
114            }
115    
116            protected boolean isIgnorePortlet(String portletId) {
117                    String rootPortletId = PortletConstants.getRootPortletId(portletId);
118    
119                    Set<String> authTokenIgnorePortlets =
120                            PortalUtil.getAuthTokenIgnorePortlets();
121    
122                    return authTokenIgnorePortlets.contains(rootPortletId);
123            }
124    
125            private static final String _PORTAL = "PORTAL";
126    
127    }