001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.ParamUtil;
018 import com.liferay.portal.kernel.util.Validator;
019 import com.liferay.portal.kernel.util.WebKeys;
020 import com.liferay.portal.model.PortletConstants;
021 import com.liferay.portal.service.permission.PortletPermissionUtil;
022 import com.liferay.portal.util.PortalUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.util.Encryptor;
025 import com.liferay.util.PwdGenerator;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030 import javax.servlet.http.HttpSession;
031
032
035 public class SessionAuthToken implements AuthToken {
036
037 public void check(HttpServletRequest request) throws PrincipalException {
038 if (isIgnoreAction(request) || isIgnorePortlet(request)) {
039 return;
040 }
041
042 String requestAuthenticationToken = ParamUtil.getString(
043 request, "p_auth");
044
045 String sessionAuthenticationToken = getSessionAuthenticationToken(
046 request, _PORTAL);
047
048 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
049 PropsValues.AUTH_TOKEN_SHARED_SECRET);
050
051 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
052 request, "p_auth_secret");
053
054 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
055 !requestAuthenticatonTokenSharedSecret.equals(
056 propertiesAuthenticatonTokenSharedSecret)) {
057
058 throw new PrincipalException("Invalid authentication token");
059 }
060 }
061
062 public String getToken(HttpServletRequest request) {
063 return getSessionAuthenticationToken(request, _PORTAL);
064 }
065
066 public String getToken(
067 HttpServletRequest request, long plid, String portletId) {
068
069 return getSessionAuthenticationToken(
070 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
071 }
072
073 protected String getSessionAuthenticationToken(
074 HttpServletRequest request, String key) {
075
076 HttpSession session = request.getSession();
077
078 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
079
080 String sessionAuthenticationToken = (String)session.getAttribute(
081 tokenKey);
082
083 if (Validator.isNull(sessionAuthenticationToken)) {
084 sessionAuthenticationToken = PwdGenerator.getPassword();
085
086 session.setAttribute(tokenKey, sessionAuthenticationToken);
087 }
088
089 return sessionAuthenticationToken;
090 }
091
092 protected boolean isIgnoreAction(HttpServletRequest request) {
093 String ppid = ParamUtil.getString(request, "p_p_id");
094
095 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
096
097 String strutsAction = ParamUtil.getString(
098 request, portletNamespace + "struts_action");
099
100 return isIgnoreAction(strutsAction);
101 }
102
103 protected boolean isIgnoreAction(String strutsAction) {
104 Set<String> authTokenIgnoreActions =
105 PortalUtil.getAuthTokenIgnoreActions();
106
107 return authTokenIgnoreActions.contains(strutsAction);
108 }
109
110 protected boolean isIgnorePortlet(HttpServletRequest request) {
111 String ppid = ParamUtil.getString(request, "p_p_id");
112
113 return isIgnorePortlet(ppid);
114 }
115
116 protected boolean isIgnorePortlet(String portletId) {
117 String rootPortletId = PortletConstants.getRootPortletId(portletId);
118
119 Set<String> authTokenIgnorePortlets =
120 PortalUtil.getAuthTokenIgnorePortlets();
121
122 return authTokenIgnorePortlets.contains(rootPortletId);
123 }
124
125 private static final String _PORTAL = "PORTAL";
126
127 }