001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.ParamUtil;
018    import com.liferay.portal.kernel.util.Validator;
019    import com.liferay.portal.kernel.util.WebKeys;
020    import com.liferay.portal.service.permission.PortletPermissionUtil;
021    import com.liferay.portal.util.PortalUtil;
022    import com.liferay.portal.util.PropsValues;
023    import com.liferay.portlet.SecurityPortletContainerWrapper;
024    import com.liferay.util.PwdGenerator;
025    
026    import javax.servlet.http.HttpServletRequest;
027    import javax.servlet.http.HttpSession;
028    
029    /**
030     * @author Amos Fong
031     */
032    public class SessionAuthToken implements AuthToken {
033    
034            @Override
035            public void check(HttpServletRequest request) throws PrincipalException {
036                    checkCSRFToken(
037                            request, SecurityPortletContainerWrapper.class.getName());
038            }
039    
040            @Override
041            public void checkCSRFToken(HttpServletRequest request, String origin)
042                    throws PrincipalException {
043    
044                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
045                            return;
046                    }
047    
048                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
049    
050                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
051                            return;
052                    }
053    
054                    long companyId = PortalUtil.getCompanyId(request);
055    
056                    if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
057                                    companyId, origin)) {
058    
059                            return;
060                    }
061    
062                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
063                            String ppid = ParamUtil.getString(request, "p_p_id");
064    
065                            String portletNamespace = PortalUtil.getPortletNamespace(ppid);
066    
067                            String strutsAction = ParamUtil.getString(
068                                    request, portletNamespace + "struts_action");
069    
070                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
071                                            companyId, ppid, strutsAction)) {
072    
073                                    return;
074                            }
075                    }
076    
077                    String csrfToken = ParamUtil.getString(request, "p_auth");
078    
079                    String sessionToken = getSessionAuthenticationToken(
080                            request, _CSRF, false);
081    
082                    if (!csrfToken.equals(sessionToken)) {
083                            throw new PrincipalException("Invalid authentication token");
084                    }
085            }
086    
087            @Override
088            public String getToken(HttpServletRequest request) {
089                    return getSessionAuthenticationToken(request, _CSRF, true);
090            }
091    
092            @Override
093            public String getToken(
094                    HttpServletRequest request, long plid, String portletId) {
095    
096                    return getSessionAuthenticationToken(
097                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
098                            true);
099            }
100    
101            @Override
102            public boolean isValidPortletInvocationToken(
103                    HttpServletRequest request, long plid, String portletId,
104                    String strutsAction, String tokenValue) {
105    
106                    long companyId = PortalUtil.getCompanyId(request);
107    
108                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
109                                    companyId, portletId, strutsAction)) {
110    
111                            return true;
112                    }
113    
114                    if (Validator.isNotNull(tokenValue)) {
115                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
116    
117                            String sessionToken = getSessionAuthenticationToken(
118                                    request, key, false);
119    
120                            if (Validator.isNotNull(sessionToken) &&
121                                    sessionToken.equals(tokenValue)) {
122    
123                                    return true;
124                            }
125                    }
126    
127                    return false;
128            }
129    
130            protected String getSessionAuthenticationToken(
131                    HttpServletRequest request, String key, boolean createToken) {
132    
133                    HttpSession session = request.getSession();
134    
135                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
136    
137                    String sessionAuthenticationToken = (String)session.getAttribute(
138                            tokenKey);
139    
140                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
141                            sessionAuthenticationToken = PwdGenerator.getPassword();
142    
143                            session.setAttribute(tokenKey, sessionAuthenticationToken);
144                    }
145    
146                    return sessionAuthenticationToken;
147            }
148    
149            private static final String _CSRF = "#CSRF";
150    
151    }