001    /**
002     * Copyright (c) 2000-2011 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet.filters.secure;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.servlet.HttpHeaders;
020    import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
021    import com.liferay.portal.kernel.util.GetterUtil;
022    import com.liferay.portal.kernel.util.Http;
023    import com.liferay.portal.kernel.util.HttpUtil;
024    import com.liferay.portal.kernel.util.StringBundler;
025    import com.liferay.portal.kernel.util.StringPool;
026    import com.liferay.portal.kernel.util.StringUtil;
027    import com.liferay.portal.kernel.util.Validator;
028    import com.liferay.portal.model.User;
029    import com.liferay.portal.security.auth.PrincipalThreadLocal;
030    import com.liferay.portal.security.permission.PermissionChecker;
031    import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
032    import com.liferay.portal.security.permission.PermissionThreadLocal;
033    import com.liferay.portal.service.UserLocalServiceUtil;
034    import com.liferay.portal.servlet.filters.BasePortalFilter;
035    import com.liferay.portal.util.Portal;
036    import com.liferay.portal.util.PortalInstances;
037    import com.liferay.portal.util.PortalUtil;
038    import com.liferay.portal.util.PropsUtil;
039    import com.liferay.portal.util.PropsValues;
040    import com.liferay.portal.util.WebKeys;
041    
042    import java.util.HashSet;
043    import java.util.Set;
044    
045    import javax.servlet.FilterChain;
046    import javax.servlet.FilterConfig;
047    import javax.servlet.http.HttpServletRequest;
048    import javax.servlet.http.HttpServletResponse;
049    import javax.servlet.http.HttpSession;
050    
051    /**
052     * @author Brian Wing Shun Chan
053     * @author Raymond Augé
054     * @author Alexander Chow
055     */
056    public class SecureFilter extends BasePortalFilter {
057    
058            @Override
059            public void init(FilterConfig filterConfig) {
060                    super.init(filterConfig);
061    
062                    _basicAuthEnabled = GetterUtil.getBoolean(
063                            filterConfig.getInitParameter("basic_auth"));
064                    _digestAuthEnabled = GetterUtil.getBoolean(
065                            filterConfig.getInitParameter("digest_auth"));
066    
067                    String propertyPrefix =
068                            filterConfig.getInitParameter("portal_property_prefix");
069    
070                    String[] hostsAllowedArray = null;
071    
072                    if (Validator.isNull(propertyPrefix)) {
073                            hostsAllowedArray = StringUtil.split(
074                                    filterConfig.getInitParameter("hosts.allowed"));
075                            _httpsRequired = GetterUtil.getBoolean(
076                                    filterConfig.getInitParameter("https.required"));
077                    }
078                    else {
079                            hostsAllowedArray = PropsUtil.getArray(
080                                    propertyPrefix + "hosts.allowed");
081                            _httpsRequired = GetterUtil.getBoolean(
082                                    PropsUtil.get(propertyPrefix + "https.required"));
083                    }
084    
085                    for (int i = 0; i < hostsAllowedArray.length; i++) {
086                            _hostsAllowed.add(hostsAllowedArray[i]);
087                    }
088            }
089    
090            protected boolean isAccessAllowed(HttpServletRequest request) {
091                    String remoteAddr = request.getRemoteAddr();
092                    String serverIp = PortalUtil.getComputerAddress();
093    
094                    if ((_hostsAllowed.size() > 0) &&
095                            (!_hostsAllowed.contains(remoteAddr))) {
096    
097                            if ((serverIp.equals(remoteAddr)) &&
098                                    (_hostsAllowed.contains(_SERVER_IP))) {
099    
100                                    return true;
101                            }
102    
103                            return false;
104                    }
105                    else {
106                            return true;
107                    }
108            }
109    
110            @Override
111            protected void processFilter(
112                            HttpServletRequest request, HttpServletResponse response,
113                            FilterChain filterChain)
114                    throws Exception {
115    
116                    String remoteAddr = request.getRemoteAddr();
117    
118                    if (isAccessAllowed(request)) {
119                            if (_log.isDebugEnabled()) {
120                                    _log.debug("Access allowed for " + remoteAddr);
121                            }
122                    }
123                    else {
124                            if (_log.isWarnEnabled()) {
125                                    _log.warn("Access denied for " + remoteAddr);
126                            }
127    
128                            response.sendError(
129                                    HttpServletResponse.SC_FORBIDDEN,
130                                    "Access denied for " + remoteAddr);
131    
132                            return;
133                    }
134    
135                    if (_log.isDebugEnabled()) {
136                            if (_httpsRequired) {
137                                    _log.debug("https is required");
138                            }
139                            else {
140                                    _log.debug("https is not required");
141                            }
142                    }
143    
144                    if (_httpsRequired && !request.isSecure()) {
145                            if (_log.isDebugEnabled()) {
146                                    String completeURL = HttpUtil.getCompleteURL(request);
147    
148                                    _log.debug("Securing " + completeURL);
149                            }
150    
151                            StringBundler redirectURL = new StringBundler(5);
152    
153                            redirectURL.append(Http.HTTPS_WITH_SLASH);
154                            redirectURL.append(request.getServerName());
155                            redirectURL.append(request.getServletPath());
156    
157                            String queryString = request.getQueryString();
158    
159                            if (Validator.isNotNull(queryString)) {
160                                    redirectURL.append(StringPool.QUESTION);
161                                    redirectURL.append(request.getQueryString());
162                            }
163    
164                            if (_log.isDebugEnabled()) {
165                                    _log.debug("Redirect to " + redirectURL);
166                            }
167    
168                            response.sendRedirect(redirectURL.toString());
169                    }
170                    else {
171                            if (_log.isDebugEnabled()) {
172                                    String completeURL = HttpUtil.getCompleteURL(request);
173    
174                                    _log.debug("Not securing " + completeURL);
175                            }
176    
177                            // This authentication should only be run if specified by web.xml
178                            // and JAAS is disabled. Make sure to run this once per session and
179                            // wrap the request if necessary.
180    
181                            if (!PropsValues.PORTAL_JAAS_ENABLE) {
182                                    User user = PortalUtil.getUser(request);
183    
184                                    if ((user != null) && !user.isDefaultUser()) {
185                                            setCredentials(
186                                                    request, request.getSession(), user.getUserId());
187                                    }
188                                    else {
189                                            if (_digestAuthEnabled) {
190                                                    request = digestAuth(request, response);
191                                            }
192                                            else if (_basicAuthEnabled) {
193                                                    request = basicAuth(request, response);
194                                            }
195                                    }
196                            }
197    
198                            if (request != null) {
199                                    processFilter(getClass(), request, response, filterChain);
200                            }
201                    }
202            }
203    
204            protected HttpServletRequest basicAuth(
205                            HttpServletRequest request, HttpServletResponse response)
206                    throws Exception {
207    
208                    HttpSession session = request.getSession();
209    
210                    session.setAttribute(WebKeys.BASIC_AUTH_ENABLED, Boolean.TRUE);
211    
212                    long userId = GetterUtil.getLong(
213                            (String)session.getAttribute(_AUTHENTICATED_USER));
214    
215                    if (userId > 0) {
216                            request = new ProtectedServletRequest(
217                                    request, String.valueOf(userId));
218                    }
219                    else {
220                            try {
221                                    userId = PortalUtil.getBasicAuthUserId(request);
222                            }
223                            catch (Exception e) {
224                                    _log.error(e, e);
225                            }
226    
227                            if (userId > 0) {
228                                    request = setCredentials(request, session, userId);
229                            }
230                            else {
231                                    response.setHeader(HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
232                                    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
233    
234                                    return null;
235                            }
236                    }
237    
238                    return request;
239            }
240    
241            protected HttpServletRequest digestAuth(
242                            HttpServletRequest request, HttpServletResponse response)
243                    throws Exception {
244    
245                    HttpSession session = request.getSession();
246    
247                    long userId = GetterUtil.getLong(
248                            (String)session.getAttribute(_AUTHENTICATED_USER));
249    
250                    if (userId > 0) {
251                            request = new ProtectedServletRequest(
252                                    request, String.valueOf(userId));
253                    }
254                    else {
255                            try {
256                                    userId = PortalUtil.getDigestAuthUserId(request);
257                            }
258                            catch (Exception e) {
259                                    _log.error(e, e);
260                            }
261    
262                            if (userId > 0) {
263                                    request = setCredentials(request, session, userId);
264                            }
265                            else {
266    
267                                    // Must generate a new nonce for each 401 (RFC2617, 3.2.1)
268    
269                                    long companyId = PortalInstances.getCompanyId(request);
270    
271                                    String remoteAddress = request.getRemoteAddr();
272    
273                                    String nonce = NonceUtil.generate(companyId, remoteAddress);
274    
275                                    StringBundler sb = new StringBundler(4);
276    
277                                    sb.append(_DIGEST_REALM);
278                                    sb.append(", nonce=\"");
279                                    sb.append(nonce);
280                                    sb.append("\"");
281    
282                                    response.setHeader(HttpHeaders.WWW_AUTHENTICATE, sb.toString());
283                                    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
284    
285                                    return null;
286                            }
287                    }
288    
289                    return request;
290            }
291    
292            protected HttpServletRequest setCredentials(
293                            HttpServletRequest request, HttpSession session, long userId)
294                    throws Exception {
295    
296                    User user = UserLocalServiceUtil.getUser(userId);
297    
298                    String userIdString = String.valueOf(userId);
299    
300                    request = new ProtectedServletRequest(request, userIdString);
301    
302                    session.setAttribute(WebKeys.USER, user);
303                    session.setAttribute(_AUTHENTICATED_USER, userIdString);
304    
305                    if (_usePermissionChecker) {
306                            PrincipalThreadLocal.setName(userId);
307                            PrincipalThreadLocal.setPassword(
308                                    PortalUtil.getUserPassword(request));
309    
310                            PermissionChecker permissionChecker =
311                                    PermissionCheckerFactoryUtil.create(user, false);
312    
313                            PermissionThreadLocal.setPermissionChecker(permissionChecker);
314                    }
315    
316                    return request;
317            }
318    
319            protected void setUsePermissionChecker(boolean usePermissionChecker) {
320                    _usePermissionChecker = usePermissionChecker;
321            }
322    
323            public static final String _AUTHENTICATED_USER =
324                    SecureFilter.class + "_AUTHENTICATED_USER";
325    
326            private static final String _BASIC_REALM =
327                    "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
328    
329            private static final String _DIGEST_REALM =
330                    "Digest realm=\"" + Portal.PORTAL_REALM + "\"";
331    
332            private static final String _SERVER_IP = "SERVER_IP";
333    
334            private static Log _log = LogFactoryUtil.getLog(SecureFilter.class);
335    
336            private boolean _basicAuthEnabled;
337            private boolean _digestAuthEnabled;
338            private Set<String> _hostsAllowed = new HashSet<String>();
339            private boolean _httpsRequired;
340            private boolean _usePermissionChecker;
341    
342    }