001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.struts;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.json.JSONFactoryUtil;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.servlet.HttpHeaders;
022    import com.liferay.portal.kernel.servlet.ServletContextPool;
023    import com.liferay.portal.kernel.util.ContentTypes;
024    import com.liferay.portal.kernel.util.GetterUtil;
025    import com.liferay.portal.kernel.util.ParamUtil;
026    import com.liferay.portal.kernel.util.SetUtil;
027    import com.liferay.portal.kernel.util.StringPool;
028    import com.liferay.portal.kernel.util.Validator;
029    import com.liferay.portal.security.ac.AccessControlUtil;
030    import com.liferay.portal.security.auth.AuthSettingsUtil;
031    import com.liferay.portal.security.auth.AuthTokenUtil;
032    import com.liferay.portal.security.auth.PortalSessionAuthVerifier;
033    import com.liferay.portal.servlet.SharedSessionServletRequest;
034    import com.liferay.portal.util.PortalUtil;
035    import com.liferay.portal.util.PropsValues;
036    import com.liferay.portal.util.WebKeys;
037    
038    import java.io.OutputStream;
039    
040    import java.util.Set;
041    
042    import javax.servlet.RequestDispatcher;
043    import javax.servlet.ServletContext;
044    import javax.servlet.http.HttpServletRequest;
045    import javax.servlet.http.HttpServletResponse;
046    
047    import org.apache.struts.action.Action;
048    import org.apache.struts.action.ActionForm;
049    import org.apache.struts.action.ActionForward;
050    import org.apache.struts.action.ActionMapping;
051    
052    /**
053     * @author Ming-Gih Lam
054     * @author Brian Wing Shun Chan
055     * @author Tomas Polesovsky
056     */
057    public abstract class JSONAction extends Action {
058    
059            @Override
060            public ActionForward execute(
061                            ActionMapping mapping, ActionForm form, HttpServletRequest request,
062                            HttpServletResponse response)
063                    throws Exception {
064    
065                    if (rerouteExecute(request, response)) {
066                            return null;
067                    }
068    
069                    String callback = ParamUtil.getString(request, "callback");
070                    String instance = ParamUtil.getString(request, "inst");
071    
072                    String json = null;
073    
074                    try {
075                            checkAuthToken(request);
076    
077                            json = getJSON(mapping, form, request, response);
078    
079                            if (Validator.isNotNull(callback)) {
080                                    json = callback + "(" + json + ");";
081                            }
082                            else if (Validator.isNotNull(instance)) {
083                                    json = "var " + instance + "=" + json + ";";
084                            }
085                    }
086                    catch (SecurityException se) {
087                            if (_log.isWarnEnabled()) {
088                                    _log.warn(se.getMessage());
089                            }
090    
091                            json = JSONFactoryUtil.serializeException(se);
092                    }
093                    catch (Exception e) {
094                            _log.error(e, e);
095    
096                            PortalUtil.sendError(
097                                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
098                                    response);
099    
100                            return null;
101                    }
102    
103                    boolean refresh = ParamUtil.getBoolean(request, "refresh");
104    
105                    if (refresh) {
106                            return mapping.findForward(ActionConstants.COMMON_REFERER);
107                    }
108                    else if (Validator.isNotNull(json)) {
109                            response.setCharacterEncoding(StringPool.UTF8);
110                            response.setContentType(ContentTypes.APPLICATION_JSON);
111                            response.setHeader(
112                                    HttpHeaders.CACHE_CONTROL,
113                                    HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
114    
115                            OutputStream outputStream = response.getOutputStream();
116    
117                            byte[] bytes = json.getBytes(StringPool.UTF8);
118    
119                            outputStream.write(bytes);
120    
121                            outputStream.close();
122                    }
123    
124                    return null;
125            }
126    
127            public abstract String getJSON(
128                            ActionMapping mapping, ActionForm form, HttpServletRequest request,
129                            HttpServletResponse response)
130                    throws Exception;
131    
132            public void setServletContext(ServletContext servletContext) {
133                    _servletContext = servletContext;
134            }
135    
136            protected void checkAuthToken(HttpServletRequest request)
137                    throws PortalException {
138    
139                    String authType = GetterUtil.getString(request.getAuthType());
140    
141                    // Support for the legacy JSON API at /c/portal/json_service
142    
143                    if (AccessControlUtil.getAccessControlContext() == null) {
144                            if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
145                                    authType.equals(HttpServletRequest.DIGEST_AUTH)) {
146    
147                                    return;
148                            }
149                    }
150                    else {
151    
152                            // The new web service should only check auth tokens when the user
153                            // is authenticated using portal session cookies
154    
155                            if (!authType.equals(PortalSessionAuthVerifier.AUTH_TYPE)) {
156                                    return;
157                            }
158                    }
159    
160                    if (PropsValues.AUTH_TOKEN_CHECK_ENABLED &&
161                            PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
162    
163                            if (!AuthSettingsUtil.isAccessAllowed(request, _hostsAllowed)) {
164                                    AuthTokenUtil.check(request);
165                            }
166                    }
167            }
168    
169            protected String getReroutePath() {
170                    return null;
171            }
172    
173            protected boolean rerouteExecute(
174                            HttpServletRequest request, HttpServletResponse response)
175                    throws Exception {
176    
177                    String reroutePath = getReroutePath();
178    
179                    if (Validator.isNull(reroutePath)) {
180                            return false;
181                    }
182    
183                    String requestServletContextName = ParamUtil.getString(
184                            request, "servletContextName");
185    
186                    if (Validator.isNull(requestServletContextName)) {
187                            return false;
188                    }
189    
190                    ServletContext servletContext = _servletContext;
191    
192                    if (servletContext == null) {
193                            servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
194                    }
195    
196                    String servletContextName = GetterUtil.getString(
197                            servletContext.getServletContextName());
198    
199                    if (servletContextName.equals(requestServletContextName)) {
200                            return false;
201                    }
202    
203                    ServletContext requestServletContext = ServletContextPool.get(
204                            requestServletContextName);
205    
206                    if (requestServletContext == null) {
207                            return false;
208                    }
209    
210                    RequestDispatcher requestDispatcher =
211                            requestServletContext.getRequestDispatcher(reroutePath);
212    
213                    if (requestDispatcher == null) {
214                            return false;
215                    }
216    
217                    requestDispatcher.forward(
218                            new SharedSessionServletRequest(request, true), response);
219    
220                    return true;
221            }
222    
223            private static Log _log = LogFactoryUtil.getLog(JSONAction.class);
224    
225            private Set<String> _hostsAllowed = SetUtil.fromArray(
226                    PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
227            private ServletContext _servletContext;
228    
229    }