001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.util.Base64;
022    import com.liferay.portal.kernel.util.CharPool;
023    import com.liferay.portal.kernel.util.GetterUtil;
024    import com.liferay.portal.kernel.util.StringUtil;
025    import com.liferay.portal.model.Company;
026    import com.liferay.portal.model.User;
027    import com.liferay.portal.service.UserLocalServiceUtil;
028    import com.liferay.portal.service.http.TunnelUtil;
029    import com.liferay.portal.util.PortalUtil;
030    import com.liferay.util.Encryptor;
031    import com.liferay.util.EncryptorException;
032    
033    import java.security.InvalidKeyException;
034    
035    import java.util.Properties;
036    import java.util.StringTokenizer;
037    
038    import javax.servlet.http.HttpServletRequest;
039    
040    /**
041     * @author Zsolt Berentey
042     */
043    public class TunnelingServletAuthVerifier implements AuthVerifier {
044    
045            @Override
046            public String getAuthType() {
047                    return HttpServletRequest.BASIC_AUTH;
048            }
049    
050            @Override
051            public AuthVerifierResult verify(
052                            AccessControlContext accessControlContext, Properties properties)
053                    throws AuthException {
054    
055                    AuthVerifierResult authVerifierResult = new AuthVerifierResult();
056    
057                    String[] credentials = verify(accessControlContext.getRequest());
058    
059                    if (credentials != null) {
060                            authVerifierResult.setPassword(credentials[1]);
061                            authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
062                            authVerifierResult.setUserId(Long.valueOf(credentials[0]));
063                    }
064    
065                    return authVerifierResult;
066            }
067    
068            protected String[] verify(HttpServletRequest request) throws AuthException {
069                    String authorization = request.getHeader("Authorization");
070    
071                    if (authorization == null) {
072                            return null;
073                    }
074    
075                    StringTokenizer st = new StringTokenizer(authorization);
076    
077                    if (!st.hasMoreTokens()) {
078                            return null;
079                    }
080    
081                    String basic = st.nextToken();
082    
083                    if (!StringUtil.equalsIgnoreCase(
084                                    basic, HttpServletRequest.BASIC_AUTH)) {
085    
086                            return null;
087                    }
088    
089                    String encodedCredentials = st.nextToken();
090    
091                    if (_log.isDebugEnabled()) {
092                            _log.debug("Encoded credentials " + encodedCredentials);
093                    }
094    
095                    String decodedCredentials = new String(
096                            Base64.decode(encodedCredentials));
097    
098                    if (_log.isDebugEnabled()) {
099                            _log.debug("Decoded credentials " + decodedCredentials);
100                    }
101    
102                    int index = decodedCredentials.indexOf(CharPool.COLON);
103    
104                    if (index == -1) {
105                            return null;
106                    }
107    
108                    String login = GetterUtil.getString(
109                            decodedCredentials.substring(0, index));
110                    String password = decodedCredentials.substring(index + 1);
111    
112                    String expectedPassword = null;
113    
114                    try {
115                            expectedPassword = Encryptor.encrypt(
116                                    TunnelUtil.getSharedSecretKey(), login);
117                    }
118                    catch (EncryptorException ee) {
119                            throw new AuthException("Unable to decrypt login.", ee);
120                    }
121                    catch (InvalidKeyException ike) {
122                            throw new AuthException(ike);
123                    }
124    
125                    if (!password.equals(expectedPassword)) {
126                            throw new AuthException(
127                                    "Tunneling servlet shared secrets do not match");
128                    }
129    
130                    User user = null;
131    
132                    try {
133                            user = UserLocalServiceUtil.fetchUser(GetterUtil.getLong(login));
134    
135                            if (user == null) {
136                                    Company company = PortalUtil.getCompany(request);
137    
138                                    user = UserLocalServiceUtil.fetchUserByEmailAddress(
139                                            company.getCompanyId(), login);
140    
141                                    if (user == null) {
142                                            user = UserLocalServiceUtil.fetchUserByScreenName(
143                                                    company.getCompanyId(), login);
144                                    }
145                            }
146                    }
147                    catch (PortalException pe) {
148                            if (_log.isWarnEnabled()) {
149                                    _log.warn("Unable to find company", pe);
150                            }
151                    }
152                    catch (SystemException se) {
153                            if (_log.isWarnEnabled()) {
154                                    _log.warn("Unable to find user", se);
155                            }
156                    }
157    
158                    if (user == null) {
159                            throw new AuthException();
160                    }
161    
162                    String[] credentials = new String[2];
163    
164                    credentials[0] = String.valueOf(user.getUserId());
165                    credentials[1] = password;
166    
167                    return credentials;
168            }
169    
170            private static Log _log = LogFactoryUtil.getLog(
171                    TunnelingServletAuthVerifier.class);
172    
173    }