001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
018 import com.liferay.portal.kernel.util.CharPool;
019 import com.liferay.portal.kernel.util.SetUtil;
020 import com.liferay.portal.kernel.util.Validator;
021 import com.liferay.portal.model.Portlet;
022 import com.liferay.portal.model.PortletConstants;
023 import com.liferay.portal.service.PortletLocalServiceUtil;
024 import com.liferay.portal.util.PropsValues;
025
026 import java.util.Collections;
027 import java.util.Set;
028
029
033 @DoPrivileged
034 public class AuthTokenWhitelistImpl implements AuthTokenWhitelist {
035
036 public AuthTokenWhitelistImpl() {
037 resetPortletCSRFWhitelist();
038 resetPortletCSRFWhitelistActions();
039 resetPortletInvocationWhitelist();
040 resetPortletInvocationWhitelistActions();
041 }
042
043 @Override
044 public Set<String> getPortletCSRFWhitelist() {
045 return _portletCSRFWhitelist;
046 }
047
048 @Override
049 public Set<String> getPortletCSRFWhitelistActions() {
050 return _portletCSRFWhitelistActions;
051 }
052
053 @Override
054 public Set<String> getPortletInvocationWhitelist() {
055 return _portletInvocationWhitelist;
056 }
057
058 @Override
059 public Set<String> getPortletInvocationWhitelistActions() {
060 return _portletInvocationWhitelistActions;
061 }
062
063 @Override
064 public boolean isPortletCSRFWhitelisted(
065 long companyId, String portletId, String strutsAction) {
066
067 String rootPortletId = PortletConstants.getRootPortletId(portletId);
068
069 Set<String> whitelist = getPortletCSRFWhitelist();
070
071 if (whitelist.contains(rootPortletId)) {
072 return true;
073 }
074
075 if (Validator.isNotNull(strutsAction)) {
076 Set<String> whitelistActions = getPortletCSRFWhitelistActions();
077
078 if (whitelistActions.contains(strutsAction) &&
079 isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
080
081 return true;
082 }
083 }
084
085 return false;
086 }
087
088 @Override
089 public boolean isPortletInvocationWhitelisted(
090 long companyId, String portletId, String strutsAction) {
091
092 Set<String> whitelist = getPortletInvocationWhitelist();
093
094 if (whitelist.contains(portletId)) {
095 return true;
096 }
097
098 if (Validator.isNotNull(strutsAction)) {
099 Set<String> whitelistActions =
100 getPortletInvocationWhitelistActions();
101
102 if (whitelistActions.contains(strutsAction) &&
103 isValidStrutsAction(companyId, portletId, strutsAction)) {
104
105 return true;
106 }
107 }
108
109 return false;
110 }
111
112 @Override
113 public Set<String> resetPortletCSRFWhitelist() {
114 _portletCSRFWhitelist = SetUtil.fromArray(
115 PropsValues.AUTH_TOKEN_IGNORE_PORTLETS);
116 _portletCSRFWhitelist = Collections.unmodifiableSet(
117 _portletCSRFWhitelist);
118
119 return _portletCSRFWhitelist;
120 }
121
122 @Override
123 public Set<String> resetPortletCSRFWhitelistActions() {
124 _portletCSRFWhitelistActions = SetUtil.fromArray(
125 PropsValues.AUTH_TOKEN_IGNORE_ACTIONS);
126 _portletCSRFWhitelistActions = Collections.unmodifiableSet(
127 _portletCSRFWhitelistActions);
128
129 return _portletCSRFWhitelistActions;
130 }
131
132 @Override
133 public Set<String> resetPortletInvocationWhitelist() {
134 _portletInvocationWhitelist = SetUtil.fromArray(
135 PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
136 _portletInvocationWhitelist = Collections.unmodifiableSet(
137 _portletInvocationWhitelist);
138
139 return _portletInvocationWhitelist;
140 }
141
142 @Override
143 public Set<String> resetPortletInvocationWhitelistActions() {
144 _portletInvocationWhitelistActions = SetUtil.fromArray(
145 PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
146 _portletInvocationWhitelistActions = Collections.unmodifiableSet(
147 _portletInvocationWhitelistActions);
148
149 return _portletInvocationWhitelistActions;
150 }
151
152 protected boolean isValidStrutsAction(
153 long companyId, String portletId, String strutsAction) {
154
155 try {
156 Portlet portlet = PortletLocalServiceUtil.getPortletById(
157 companyId, portletId);
158
159 if (portlet == null) {
160 return false;
161 }
162
163 String strutsPath = strutsAction.substring(
164 1, strutsAction.lastIndexOf(CharPool.SLASH));
165
166 if (strutsPath.equals(portlet.getStrutsPath()) ||
167 strutsPath.equals(portlet.getParentStrutsPath())) {
168
169 return true;
170 }
171 }
172 catch (Exception e) {
173 }
174
175 return false;
176 }
177
178 private Set<String> _portletCSRFWhitelist;
179 private Set<String> _portletCSRFWhitelistActions;
180 private Set<String> _portletInvocationWhitelist;
181 private Set<String> _portletInvocationWhitelistActions;
182
183 }