001
014
015 package com.liferay.portal.servlet.filters.secure;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.servlet.HttpHeaders;
020 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
021 import com.liferay.portal.kernel.util.GetterUtil;
022 import com.liferay.portal.kernel.util.Http;
023 import com.liferay.portal.kernel.util.HttpUtil;
024 import com.liferay.portal.kernel.util.StringBundler;
025 import com.liferay.portal.kernel.util.StringPool;
026 import com.liferay.portal.kernel.util.StringUtil;
027 import com.liferay.portal.kernel.util.Validator;
028 import com.liferay.portal.model.User;
029 import com.liferay.portal.security.auth.PrincipalThreadLocal;
030 import com.liferay.portal.security.permission.PermissionChecker;
031 import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
032 import com.liferay.portal.security.permission.PermissionThreadLocal;
033 import com.liferay.portal.service.UserLocalServiceUtil;
034 import com.liferay.portal.servlet.filters.BasePortalFilter;
035 import com.liferay.portal.util.Portal;
036 import com.liferay.portal.util.PortalInstances;
037 import com.liferay.portal.util.PortalUtil;
038 import com.liferay.portal.util.PropsUtil;
039 import com.liferay.portal.util.PropsValues;
040 import com.liferay.portal.util.WebKeys;
041
042 import java.util.HashSet;
043 import java.util.Set;
044
045 import javax.servlet.FilterChain;
046 import javax.servlet.FilterConfig;
047 import javax.servlet.http.HttpServletRequest;
048 import javax.servlet.http.HttpServletResponse;
049 import javax.servlet.http.HttpSession;
050
051
056 public class SecureFilter extends BasePortalFilter {
057
058 @Override
059 public void init(FilterConfig filterConfig) {
060 super.init(filterConfig);
061
062 _basicAuthEnabled = GetterUtil.getBoolean(
063 filterConfig.getInitParameter("basic_auth"));
064 _digestAuthEnabled = GetterUtil.getBoolean(
065 filterConfig.getInitParameter("digest_auth"));
066
067 String propertyPrefix =
068 filterConfig.getInitParameter("portal_property_prefix");
069
070 String[] hostsAllowedArray = null;
071
072 if (Validator.isNull(propertyPrefix)) {
073 hostsAllowedArray = StringUtil.split(
074 filterConfig.getInitParameter("hosts.allowed"));
075 _httpsRequired = GetterUtil.getBoolean(
076 filterConfig.getInitParameter("https.required"));
077 }
078 else {
079 hostsAllowedArray = PropsUtil.getArray(
080 propertyPrefix + "hosts.allowed");
081 _httpsRequired = GetterUtil.getBoolean(
082 PropsUtil.get(propertyPrefix + "https.required"));
083 }
084
085 for (int i = 0; i < hostsAllowedArray.length; i++) {
086 _hostsAllowed.add(hostsAllowedArray[i]);
087 }
088 }
089
090 protected boolean isAccessAllowed(HttpServletRequest request) {
091 String remoteAddr = request.getRemoteAddr();
092 String serverIp = PortalUtil.getComputerAddress();
093
094 if ((_hostsAllowed.size() > 0) &&
095 (!_hostsAllowed.contains(remoteAddr))) {
096
097 if ((serverIp.equals(remoteAddr)) &&
098 (_hostsAllowed.contains(_SERVER_IP))) {
099
100 return true;
101 }
102
103 return false;
104 }
105 else {
106 return true;
107 }
108 }
109
110 @Override
111 protected void processFilter(
112 HttpServletRequest request, HttpServletResponse response,
113 FilterChain filterChain)
114 throws Exception {
115
116 String remoteAddr = request.getRemoteAddr();
117
118 if (isAccessAllowed(request)) {
119 if (_log.isDebugEnabled()) {
120 _log.debug("Access allowed for " + remoteAddr);
121 }
122 }
123 else {
124 if (_log.isWarnEnabled()) {
125 _log.warn("Access denied for " + remoteAddr);
126 }
127
128 response.sendError(
129 HttpServletResponse.SC_FORBIDDEN,
130 "Access denied for " + remoteAddr);
131
132 return;
133 }
134
135 if (_log.isDebugEnabled()) {
136 if (_httpsRequired) {
137 _log.debug("https is required");
138 }
139 else {
140 _log.debug("https is not required");
141 }
142 }
143
144 if (_httpsRequired && !request.isSecure()) {
145 if (_log.isDebugEnabled()) {
146 String completeURL = HttpUtil.getCompleteURL(request);
147
148 _log.debug("Securing " + completeURL);
149 }
150
151 StringBundler redirectURL = new StringBundler(5);
152
153 redirectURL.append(Http.HTTPS_WITH_SLASH);
154 redirectURL.append(request.getServerName());
155 redirectURL.append(request.getServletPath());
156
157 String queryString = request.getQueryString();
158
159 if (Validator.isNotNull(queryString)) {
160 redirectURL.append(StringPool.QUESTION);
161 redirectURL.append(request.getQueryString());
162 }
163
164 if (_log.isDebugEnabled()) {
165 _log.debug("Redirect to " + redirectURL);
166 }
167
168 response.sendRedirect(redirectURL.toString());
169 }
170 else {
171 if (_log.isDebugEnabled()) {
172 String completeURL = HttpUtil.getCompleteURL(request);
173
174 _log.debug("Not securing " + completeURL);
175 }
176
177
178
179
180
181 if (!PropsValues.PORTAL_JAAS_ENABLE) {
182 User user = PortalUtil.getUser(request);
183
184 if ((user != null) && !user.isDefaultUser()) {
185 setCredentials(
186 request, request.getSession(), user.getUserId());
187 }
188 else {
189 if (_digestAuthEnabled) {
190 request = digestAuth(request, response);
191 }
192 else if (_basicAuthEnabled) {
193 request = basicAuth(request, response);
194 }
195 }
196 }
197
198 if (request != null) {
199 processFilter(getClass(), request, response, filterChain);
200 }
201 }
202 }
203
204 protected HttpServletRequest basicAuth(
205 HttpServletRequest request, HttpServletResponse response)
206 throws Exception {
207
208 HttpSession session = request.getSession();
209
210 session.setAttribute(WebKeys.BASIC_AUTH_ENABLED, Boolean.TRUE);
211
212 long userId = GetterUtil.getLong(
213 (String)session.getAttribute(_AUTHENTICATED_USER));
214
215 if (userId > 0) {
216 request = new ProtectedServletRequest(
217 request, String.valueOf(userId));
218 }
219 else {
220 try {
221 userId = PortalUtil.getBasicAuthUserId(request);
222 }
223 catch (Exception e) {
224 _log.error(e, e);
225 }
226
227 if (userId > 0) {
228 request = setCredentials(request, session, userId);
229 }
230 else {
231 response.setHeader(HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
232 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
233
234 return null;
235 }
236 }
237
238 return request;
239 }
240
241 protected HttpServletRequest digestAuth(
242 HttpServletRequest request, HttpServletResponse response)
243 throws Exception {
244
245 HttpSession session = request.getSession();
246
247 long userId = GetterUtil.getLong(
248 (String)session.getAttribute(_AUTHENTICATED_USER));
249
250 if (userId > 0) {
251 request = new ProtectedServletRequest(
252 request, String.valueOf(userId));
253 }
254 else {
255 try {
256 userId = PortalUtil.getDigestAuthUserId(request);
257 }
258 catch (Exception e) {
259 _log.error(e, e);
260 }
261
262 if (userId > 0) {
263 request = setCredentials(request, session, userId);
264 }
265 else {
266
267
268
269 long companyId = PortalInstances.getCompanyId(request);
270
271 String remoteAddress = request.getRemoteAddr();
272
273 String nonce = NonceUtil.generate(companyId, remoteAddress);
274
275 StringBundler sb = new StringBundler(4);
276
277 sb.append(_DIGEST_REALM);
278 sb.append(", nonce=\"");
279 sb.append(nonce);
280 sb.append("\"");
281
282 response.setHeader(HttpHeaders.WWW_AUTHENTICATE, sb.toString());
283 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
284
285 return null;
286 }
287 }
288
289 return request;
290 }
291
292 protected HttpServletRequest setCredentials(
293 HttpServletRequest request, HttpSession session, long userId)
294 throws Exception {
295
296 User user = UserLocalServiceUtil.getUser(userId);
297
298 String userIdString = String.valueOf(userId);
299
300 request = new ProtectedServletRequest(request, userIdString);
301
302 session.setAttribute(WebKeys.USER, user);
303 session.setAttribute(_AUTHENTICATED_USER, userIdString);
304
305 if (_usePermissionChecker) {
306 PrincipalThreadLocal.setName(userId);
307 PrincipalThreadLocal.setPassword(
308 PortalUtil.getUserPassword(request));
309
310 PermissionChecker permissionChecker =
311 PermissionCheckerFactoryUtil.create(user, false);
312
313 PermissionThreadLocal.setPermissionChecker(permissionChecker);
314 }
315
316 return request;
317 }
318
319 protected void setUsePermissionChecker(boolean usePermissionChecker) {
320 _usePermissionChecker = usePermissionChecker;
321 }
322
323 public static final String _AUTHENTICATED_USER =
324 SecureFilter.class + "_AUTHENTICATED_USER";
325
326 private static final String _BASIC_REALM =
327 "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
328
329 private static final String _DIGEST_REALM =
330 "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
331
332 private static final String _SERVER_IP = "SERVER_IP";
333
334 private static Log _log = LogFactoryUtil.getLog(SecureFilter.class);
335
336 private boolean _basicAuthEnabled;
337 private boolean _digestAuthEnabled;
338 private Set<String> _hostsAllowed = new HashSet<String>();
339 private boolean _httpsRequired;
340 private boolean _usePermissionChecker;
341
342 }