001
014
015 package com.liferay.portal.security.ac;
016
017 import com.liferay.portal.kernel.util.MapUtil;
018 import com.liferay.portal.kernel.util.SetUtil;
019 import com.liferay.portal.kernel.util.StringUtil;
020 import com.liferay.portal.security.auth.AccessControlContext;
021 import com.liferay.portal.security.auth.AuthSettingsUtil;
022 import com.liferay.portal.security.permission.PermissionChecker;
023 import com.liferay.portal.security.permission.PermissionThreadLocal;
024
025 import java.lang.reflect.Method;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030
031
037 public class AccessControlAdvisorImpl implements AccessControlAdvisor {
038
039 public void accept(Method method, AccessControlled accessControlled)
040 throws SecurityException {
041
042 checkAllowedHosts();
043
044 PermissionChecker permissionChecker =
045 PermissionThreadLocal.getPermissionChecker();
046
047 if ((permissionChecker == null) || !permissionChecker.isSignedIn()) {
048 throw new SecurityException("Authenticated access required");
049 }
050 }
051
052 protected void checkAllowedHosts() {
053 AccessControlContext accessControlContext =
054 AccessControlUtil.getAccessControlContext();
055
056 if (accessControlContext == null) {
057 return;
058 }
059
060 HttpServletRequest request = accessControlContext.getRequest();
061
062 String hostsAllowedString = MapUtil.getString(
063 accessControlContext.getSettings(), "hosts.allowed");
064
065 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
066
067 Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
068
069 if (!AuthSettingsUtil.isAccessAllowed(request, hostsAllowedSet)) {
070 throw new SecurityException(
071 "Access denied for " + request.getRemoteAddr());
072 }
073 }
074
075 }