001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.ParamUtil;
018    import com.liferay.portal.kernel.util.Validator;
019    import com.liferay.portal.kernel.util.WebKeys;
020    import com.liferay.portal.service.permission.PortletPermissionUtil;
021    import com.liferay.portal.util.PortalUtil;
022    import com.liferay.portal.util.PropsValues;
023    import com.liferay.util.Encryptor;
024    import com.liferay.util.PwdGenerator;
025    
026    import javax.servlet.http.HttpServletRequest;
027    import javax.servlet.http.HttpSession;
028    
029    /**
030     * @author Amos Fong
031     */
032    public class SessionAuthToken implements AuthToken {
033    
034            @Override
035            public void check(HttpServletRequest request) throws PrincipalException {
036                    long companyId = PortalUtil.getCompanyId(request);
037    
038                    String ppid = ParamUtil.getString(request, "p_p_id");
039    
040                    String portletNamespace = PortalUtil.getPortletNamespace(ppid);
041    
042                    String strutsAction = ParamUtil.getString(
043                            request, portletNamespace + "struts_action");
044    
045                    if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
046                                    companyId, ppid, strutsAction)) {
047    
048                            return;
049                    }
050    
051                    String requestAuthenticationToken = ParamUtil.getString(
052                            request, "p_auth");
053    
054                    String sessionAuthenticationToken = getSessionAuthenticationToken(
055                            request, _CSRF, false);
056    
057                    String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
058                            PropsValues.AUTH_TOKEN_SHARED_SECRET);
059    
060                    String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
061                            request, "p_auth_secret");
062    
063                    if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
064                            !requestAuthenticatonTokenSharedSecret.equals(
065                                    propertiesAuthenticatonTokenSharedSecret)) {
066    
067                            throw new PrincipalException("Invalid authentication token");
068                    }
069            }
070    
071            @Override
072            public String getToken(HttpServletRequest request) {
073                    return getSessionAuthenticationToken(request, _CSRF, true);
074            }
075    
076            @Override
077            public String getToken(
078                    HttpServletRequest request, long plid, String portletId) {
079    
080                    return getSessionAuthenticationToken(
081                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
082                            true);
083            }
084    
085            @Override
086            public boolean isValidPortletInvocationToken(
087                    HttpServletRequest request, long plid, String portletId,
088                    String strutsAction, String tokenValue) {
089    
090                    long companyId = PortalUtil.getCompanyId(request);
091    
092                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
093                                    companyId, portletId, strutsAction)) {
094    
095                            return true;
096                    }
097    
098                    if (Validator.isNotNull(tokenValue)) {
099                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
100    
101                            String sessionToken = getSessionAuthenticationToken(
102                                    request, key, false);
103    
104                            if (Validator.isNotNull(sessionToken) &&
105                                    sessionToken.equals(tokenValue)) {
106    
107                                    return true;
108                            }
109                    }
110    
111                    return false;
112            }
113    
114            protected String getSessionAuthenticationToken(
115                    HttpServletRequest request, String key, boolean createToken) {
116    
117                    HttpSession session = request.getSession();
118    
119                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
120    
121                    String sessionAuthenticationToken = (String)session.getAttribute(
122                            tokenKey);
123    
124                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
125                            sessionAuthenticationToken = PwdGenerator.getPassword();
126    
127                            session.setAttribute(tokenKey, sessionAuthenticationToken);
128                    }
129    
130                    return sessionAuthenticationToken;
131            }
132    
133            private static final String _CSRF = "#CSRF";
134    
135    }