001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.exception.SystemException;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.util.Base64;
022 import com.liferay.portal.kernel.util.CharPool;
023 import com.liferay.portal.kernel.util.GetterUtil;
024 import com.liferay.portal.kernel.util.StringUtil;
025 import com.liferay.portal.model.Company;
026 import com.liferay.portal.model.User;
027 import com.liferay.portal.service.UserLocalServiceUtil;
028 import com.liferay.portal.service.http.TunnelUtil;
029 import com.liferay.portal.util.PortalUtil;
030 import com.liferay.util.Encryptor;
031 import com.liferay.util.EncryptorException;
032
033 import java.security.InvalidKeyException;
034
035 import java.util.Properties;
036 import java.util.StringTokenizer;
037
038 import javax.servlet.http.HttpServletRequest;
039
040
043 public class TunnelingServletAuthVerifier implements AuthVerifier {
044
045 @Override
046 public String getAuthType() {
047 return HttpServletRequest.BASIC_AUTH;
048 }
049
050 @Override
051 public AuthVerifierResult verify(
052 AccessControlContext accessControlContext, Properties properties)
053 throws AuthException {
054
055 AuthVerifierResult authVerifierResult = new AuthVerifierResult();
056
057 String[] credentials = verify(accessControlContext.getRequest());
058
059 if (credentials != null) {
060 authVerifierResult.setPassword(credentials[1]);
061 authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
062 authVerifierResult.setUserId(Long.valueOf(credentials[0]));
063 }
064
065 return authVerifierResult;
066 }
067
068 protected String[] verify(HttpServletRequest request) throws AuthException {
069 String authorization = request.getHeader("Authorization");
070
071 if (authorization == null) {
072 return null;
073 }
074
075 StringTokenizer st = new StringTokenizer(authorization);
076
077 if (!st.hasMoreTokens()) {
078 return null;
079 }
080
081 String basic = st.nextToken();
082
083 if (!StringUtil.equalsIgnoreCase(
084 basic, HttpServletRequest.BASIC_AUTH)) {
085
086 return null;
087 }
088
089 String encodedCredentials = st.nextToken();
090
091 if (_log.isDebugEnabled()) {
092 _log.debug("Encoded credentials " + encodedCredentials);
093 }
094
095 String decodedCredentials = new String(
096 Base64.decode(encodedCredentials));
097
098 if (_log.isDebugEnabled()) {
099 _log.debug("Decoded credentials " + decodedCredentials);
100 }
101
102 int index = decodedCredentials.indexOf(CharPool.COLON);
103
104 if (index == -1) {
105 return null;
106 }
107
108 String login = GetterUtil.getString(
109 decodedCredentials.substring(0, index));
110 String password = decodedCredentials.substring(index + 1);
111
112 String expectedPassword = null;
113
114 try {
115 expectedPassword = Encryptor.encrypt(
116 TunnelUtil.getSharedSecretKey(), login);
117 }
118 catch (EncryptorException ee) {
119 throw new AuthException("Unable to decrypt login.", ee);
120 }
121 catch (InvalidKeyException ike) {
122 throw new AuthException(ike);
123 }
124
125 if (!password.equals(expectedPassword)) {
126 throw new AuthException(
127 "Tunneling servlet shared secrets do not match");
128 }
129
130 User user = null;
131
132 try {
133 user = UserLocalServiceUtil.fetchUser(GetterUtil.getLong(login));
134
135 if (user == null) {
136 Company company = PortalUtil.getCompany(request);
137
138 user = UserLocalServiceUtil.fetchUserByEmailAddress(
139 company.getCompanyId(), login);
140
141 if (user == null) {
142 user = UserLocalServiceUtil.fetchUserByScreenName(
143 company.getCompanyId(), login);
144 }
145 }
146 }
147 catch (PortalException pe) {
148 if (_log.isWarnEnabled()) {
149 _log.warn("Unable to find company", pe);
150 }
151 }
152 catch (SystemException se) {
153 if (_log.isWarnEnabled()) {
154 _log.warn("Unable to find user", se);
155 }
156 }
157
158 if (user == null) {
159 throw new AuthException();
160 }
161
162 String[] credentials = new String[2];
163
164 credentials[0] = String.valueOf(user.getUserId());
165 credentials[1] = password;
166
167 return credentials;
168 }
169
170 private static Log _log = LogFactoryUtil.getLog(
171 TunnelingServletAuthVerifier.class);
172
173 }