001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.ParamUtil;
018 import com.liferay.portal.kernel.util.Validator;
019 import com.liferay.portal.kernel.util.WebKeys;
020 import com.liferay.portal.service.permission.PortletPermissionUtil;
021 import com.liferay.portal.util.PortalUtil;
022 import com.liferay.portal.util.PropsValues;
023 import com.liferay.util.Encryptor;
024 import com.liferay.util.PwdGenerator;
025
026 import javax.servlet.http.HttpServletRequest;
027 import javax.servlet.http.HttpSession;
028
029
032 public class SessionAuthToken implements AuthToken {
033
034 @Override
035 public void check(HttpServletRequest request) throws PrincipalException {
036 long companyId = PortalUtil.getCompanyId(request);
037
038 String ppid = ParamUtil.getString(request, "p_p_id");
039
040 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
041
042 String strutsAction = ParamUtil.getString(
043 request, portletNamespace + "struts_action");
044
045 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
046 companyId, ppid, strutsAction)) {
047
048 return;
049 }
050
051 String requestAuthenticationToken = ParamUtil.getString(
052 request, "p_auth");
053
054 String sessionAuthenticationToken = getSessionAuthenticationToken(
055 request, _CSRF, false);
056
057 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
058 PropsValues.AUTH_TOKEN_SHARED_SECRET);
059
060 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
061 request, "p_auth_secret");
062
063 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
064 !requestAuthenticatonTokenSharedSecret.equals(
065 propertiesAuthenticatonTokenSharedSecret)) {
066
067 throw new PrincipalException("Invalid authentication token");
068 }
069 }
070
071 @Override
072 public String getToken(HttpServletRequest request) {
073 return getSessionAuthenticationToken(request, _CSRF, true);
074 }
075
076 @Override
077 public String getToken(
078 HttpServletRequest request, long plid, String portletId) {
079
080 return getSessionAuthenticationToken(
081 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
082 true);
083 }
084
085 @Override
086 public boolean isValidPortletInvocationToken(
087 HttpServletRequest request, long plid, String portletId,
088 String strutsAction, String tokenValue) {
089
090 long companyId = PortalUtil.getCompanyId(request);
091
092 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
093 companyId, portletId, strutsAction)) {
094
095 return true;
096 }
097
098 if (Validator.isNotNull(tokenValue)) {
099 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
100
101 String sessionToken = getSessionAuthenticationToken(
102 request, key, false);
103
104 if (Validator.isNotNull(sessionToken) &&
105 sessionToken.equals(tokenValue)) {
106
107 return true;
108 }
109 }
110
111 return false;
112 }
113
114 protected String getSessionAuthenticationToken(
115 HttpServletRequest request, String key, boolean createToken) {
116
117 HttpSession session = request.getSession();
118
119 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
120
121 String sessionAuthenticationToken = (String)session.getAttribute(
122 tokenKey);
123
124 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
125 sessionAuthenticationToken = PwdGenerator.getPassword();
126
127 session.setAttribute(tokenKey, sessionAuthenticationToken);
128 }
129
130 return sessionAuthenticationToken;
131 }
132
133 private static final String _CSRF = "#CSRF";
134
135 }