001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.GetterUtil;
018    import com.liferay.portal.kernel.util.ParamUtil;
019    import com.liferay.portal.kernel.util.Validator;
020    import com.liferay.portal.kernel.util.WebKeys;
021    import com.liferay.portal.service.permission.PortletPermissionUtil;
022    import com.liferay.portal.util.PortalUtil;
023    import com.liferay.portal.util.PropsValues;
024    import com.liferay.portlet.SecurityPortletContainerWrapper;
025    import com.liferay.util.PwdGenerator;
026    
027    import javax.servlet.http.HttpServletRequest;
028    import javax.servlet.http.HttpSession;
029    
030    /**
031     * @author Amos Fong
032     */
033    public class SessionAuthToken implements AuthToken {
034    
035            @Override
036            public void check(HttpServletRequest request) throws PrincipalException {
037                    checkCSRFToken(
038                            request, SecurityPortletContainerWrapper.class.getName());
039            }
040    
041            @Override
042            public void checkCSRFToken(HttpServletRequest request, String origin)
043                    throws PrincipalException {
044    
045                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
046                            return;
047                    }
048    
049                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
050    
051                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
052                            return;
053                    }
054    
055                    long companyId = PortalUtil.getCompanyId(request);
056    
057                    if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
058                                    companyId, origin)) {
059    
060                            return;
061                    }
062    
063                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
064                            String ppid = ParamUtil.getString(request, "p_p_id");
065    
066                            String portletNamespace = PortalUtil.getPortletNamespace(ppid);
067    
068                            String strutsAction = ParamUtil.getString(
069                                    request, portletNamespace + "struts_action");
070    
071                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
072                                            companyId, ppid, strutsAction)) {
073    
074                                    return;
075                            }
076                    }
077    
078                    String csrfToken = ParamUtil.getString(request, "p_auth");
079    
080                    if (Validator.isNull(csrfToken)) {
081                            csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
082                    }
083    
084                    String sessionToken = getSessionAuthenticationToken(
085                            request, _CSRF, false);
086    
087                    if (!csrfToken.equals(sessionToken)) {
088                            throw new PrincipalException("Invalid authentication token");
089                    }
090            }
091    
092            @Override
093            public String getToken(HttpServletRequest request) {
094                    return getSessionAuthenticationToken(request, _CSRF, true);
095            }
096    
097            @Override
098            public String getToken(
099                    HttpServletRequest request, long plid, String portletId) {
100    
101                    return getSessionAuthenticationToken(
102                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
103                            true);
104            }
105    
106            @Override
107            public boolean isValidPortletInvocationToken(
108                    HttpServletRequest request, long plid, String portletId,
109                    String strutsAction, String tokenValue) {
110    
111                    long companyId = PortalUtil.getCompanyId(request);
112    
113                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
114                                    companyId, portletId, strutsAction)) {
115    
116                            return true;
117                    }
118    
119                    if (Validator.isNotNull(tokenValue)) {
120                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
121    
122                            String sessionToken = getSessionAuthenticationToken(
123                                    request, key, false);
124    
125                            if (Validator.isNotNull(sessionToken) &&
126                                    sessionToken.equals(tokenValue)) {
127    
128                                    return true;
129                            }
130                    }
131    
132                    return false;
133            }
134    
135            protected String getSessionAuthenticationToken(
136                    HttpServletRequest request, String key, boolean createToken) {
137    
138                    HttpSession session = request.getSession();
139    
140                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
141    
142                    String sessionAuthenticationToken = (String)session.getAttribute(
143                            tokenKey);
144    
145                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
146                            sessionAuthenticationToken = PwdGenerator.getPassword(
147                                    PropsValues.AUTH_TOKEN_LENGTH);
148    
149                            session.setAttribute(tokenKey, sessionAuthenticationToken);
150                    }
151    
152                    return sessionAuthenticationToken;
153            }
154    
155            private static final String _CSRF = "#CSRF";
156    
157    }