001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.GetterUtil;
018 import com.liferay.portal.kernel.util.ParamUtil;
019 import com.liferay.portal.kernel.util.Validator;
020 import com.liferay.portal.kernel.util.WebKeys;
021 import com.liferay.portal.service.permission.PortletPermissionUtil;
022 import com.liferay.portal.util.PortalUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portlet.SecurityPortletContainerWrapper;
025 import com.liferay.util.PwdGenerator;
026
027 import javax.servlet.http.HttpServletRequest;
028 import javax.servlet.http.HttpSession;
029
030
033 public class SessionAuthToken implements AuthToken {
034
035 @Override
036 public void check(HttpServletRequest request) throws PrincipalException {
037 checkCSRFToken(
038 request, SecurityPortletContainerWrapper.class.getName());
039 }
040
041 @Override
042 public void checkCSRFToken(HttpServletRequest request, String origin)
043 throws PrincipalException {
044
045 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
046 return;
047 }
048
049 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
050
051 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
052 return;
053 }
054
055 long companyId = PortalUtil.getCompanyId(request);
056
057 if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
058 companyId, origin)) {
059
060 return;
061 }
062
063 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
064 String ppid = ParamUtil.getString(request, "p_p_id");
065
066 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
067
068 String strutsAction = ParamUtil.getString(
069 request, portletNamespace + "struts_action");
070
071 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
072 companyId, ppid, strutsAction)) {
073
074 return;
075 }
076 }
077
078 String csrfToken = ParamUtil.getString(request, "p_auth");
079
080 if (Validator.isNull(csrfToken)) {
081 csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
082 }
083
084 String sessionToken = getSessionAuthenticationToken(
085 request, _CSRF, false);
086
087 if (!csrfToken.equals(sessionToken)) {
088 throw new PrincipalException("Invalid authentication token");
089 }
090 }
091
092 @Override
093 public String getToken(HttpServletRequest request) {
094 return getSessionAuthenticationToken(request, _CSRF, true);
095 }
096
097 @Override
098 public String getToken(
099 HttpServletRequest request, long plid, String portletId) {
100
101 return getSessionAuthenticationToken(
102 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
103 true);
104 }
105
106 @Override
107 public boolean isValidPortletInvocationToken(
108 HttpServletRequest request, long plid, String portletId,
109 String strutsAction, String tokenValue) {
110
111 long companyId = PortalUtil.getCompanyId(request);
112
113 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
114 companyId, portletId, strutsAction)) {
115
116 return true;
117 }
118
119 if (Validator.isNotNull(tokenValue)) {
120 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
121
122 String sessionToken = getSessionAuthenticationToken(
123 request, key, false);
124
125 if (Validator.isNotNull(sessionToken) &&
126 sessionToken.equals(tokenValue)) {
127
128 return true;
129 }
130 }
131
132 return false;
133 }
134
135 protected String getSessionAuthenticationToken(
136 HttpServletRequest request, String key, boolean createToken) {
137
138 HttpSession session = request.getSession();
139
140 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
141
142 String sessionAuthenticationToken = (String)session.getAttribute(
143 tokenKey);
144
145 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
146 sessionAuthenticationToken = PwdGenerator.getPassword(
147 PropsValues.AUTH_TOKEN_LENGTH);
148
149 session.setAttribute(tokenKey, sessionAuthenticationToken);
150 }
151
152 return sessionAuthenticationToken;
153 }
154
155 private static final String _CSRF = "#CSRF";
156
157 }