001
014
015 package com.liferay.portal.security.ac;
016
017 import com.liferay.portal.kernel.util.MapUtil;
018 import com.liferay.portal.kernel.util.SetUtil;
019 import com.liferay.portal.kernel.util.StringUtil;
020 import com.liferay.portal.security.auth.AccessControlContext;
021 import com.liferay.portal.security.auth.AuthSettingsUtil;
022 import com.liferay.portal.security.permission.PermissionChecker;
023 import com.liferay.portal.security.permission.PermissionThreadLocal;
024
025 import java.lang.reflect.Method;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030
031
037 public class AccessControlAdvisorImpl implements AccessControlAdvisor {
038
039 public void accept(Method method, AccessControlled accessControlled)
040 throws SecurityException {
041
042 if (accessControlled.hostAllowedValidationEnabled()) {
043 checkAllowedHosts();
044 }
045
046 PermissionChecker permissionChecker =
047 PermissionThreadLocal.getPermissionChecker();
048
049 if (!accessControlled.guestAccessEnabled() &&
050 ((permissionChecker == null) || !permissionChecker.isSignedIn())) {
051
052 throw new SecurityException("Authenticated access required");
053 }
054 }
055
056 protected void checkAllowedHosts() {
057 AccessControlContext accessControlContext =
058 AccessControlUtil.getAccessControlContext();
059
060 if (accessControlContext == null) {
061 return;
062 }
063
064 HttpServletRequest request = accessControlContext.getRequest();
065
066 String hostsAllowedString = MapUtil.getString(
067 accessControlContext.getSettings(), "hosts.allowed");
068
069 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
070
071 Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
072
073 if (!AuthSettingsUtil.isAccessAllowed(request, hostsAllowedSet)) {
074 throw new SecurityException(
075 "Access denied for " + request.getRemoteAddr());
076 }
077 }
078
079 }