001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet.filters.autologin;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
020    import com.liferay.portal.kernel.security.auto.login.AutoLogin;
021    import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
022    import com.liferay.portal.kernel.util.GetterUtil;
023    import com.liferay.portal.kernel.util.StringBundler;
024    import com.liferay.portal.kernel.util.StringPool;
025    import com.liferay.portal.kernel.util.StringUtil;
026    import com.liferay.portal.kernel.util.Validator;
027    import com.liferay.portal.model.User;
028    import com.liferay.portal.security.pwd.PasswordEncryptorUtil;
029    import com.liferay.portal.service.UserLocalServiceUtil;
030    import com.liferay.portal.servlet.filters.BasePortalFilter;
031    import com.liferay.portal.util.Portal;
032    import com.liferay.portal.util.PortalInstances;
033    import com.liferay.portal.util.PortalUtil;
034    import com.liferay.portal.util.PropsValues;
035    import com.liferay.portal.util.WebKeys;
036    import com.liferay.registry.Registry;
037    import com.liferay.registry.RegistryUtil;
038    import com.liferay.registry.ServiceReference;
039    import com.liferay.registry.ServiceTracker;
040    import com.liferay.registry.ServiceTrackerCustomizer;
041    
042    import java.util.List;
043    import java.util.concurrent.CopyOnWriteArrayList;
044    
045    import javax.servlet.FilterChain;
046    import javax.servlet.http.HttpServletRequest;
047    import javax.servlet.http.HttpServletResponse;
048    import javax.servlet.http.HttpSession;
049    
050    /**
051     * @author Brian Wing Shun Chan
052     * @author Peter Fellwock
053     * @author Raymond Aug??
054     */
055    public class AutoLoginFilter extends BasePortalFilter {
056    
057            public AutoLoginFilter() {
058                    Registry registry = RegistryUtil.getRegistry();
059    
060                    _serviceTracker = registry.trackServices(
061                            AutoLogin.class, new AutoLoginServiceTrackerCustomizer());
062    
063                    _serviceTracker.open();
064            }
065    
066            protected String getLoginRemoteUser(
067                            HttpServletRequest request, HttpServletResponse response,
068                            HttpSession session, String[] credentials)
069                    throws Exception {
070    
071                    if ((credentials == null) || (credentials.length != 3)) {
072                            return null;
073                    }
074    
075                    String jUsername = credentials[0];
076                    String jPassword = credentials[1];
077                    boolean encPassword = GetterUtil.getBoolean(credentials[2]);
078    
079                    if (Validator.isNull(jUsername) || Validator.isNull(jPassword)) {
080                            return null;
081                    }
082    
083                    long userId = GetterUtil.getLong(jUsername);
084    
085                    if (userId <= 0) {
086                            return null;
087                    }
088    
089                    User user = UserLocalServiceUtil.fetchUserById(userId);
090    
091                    if ((user == null) || user.isLockout()) {
092                            return null;
093                    }
094    
095                    if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
096                            AuthenticatedSessionManagerUtil.signOutSimultaneousLogins(userId);
097                    }
098    
099                    if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
100                            session = AuthenticatedSessionManagerUtil.renewSession(
101                                    request, session);
102                    }
103    
104                    session.setAttribute("j_username", jUsername);
105    
106                    // Not having access to the unencrypted password will not allow you to
107                    // connect to external resources that require it (mail server)
108    
109                    if (encPassword) {
110                            session.setAttribute("j_password", jPassword);
111                    }
112                    else {
113                            session.setAttribute(
114                                    "j_password",
115                                    PasswordEncryptorUtil.encrypt(jPassword, user.getPassword()));
116    
117                            if (PropsValues.SESSION_STORE_PASSWORD) {
118                                    session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
119                            }
120                    }
121    
122                    session.setAttribute("j_remoteuser", jUsername);
123    
124                    if (PropsValues.PORTAL_JAAS_ENABLE) {
125                            String redirect = PortalUtil.getPathMain().concat(
126                                    "/portal/protected");
127    
128                            if (PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
129                                    String autoLoginRedirect = (String)request.getAttribute(
130                                            AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
131    
132                                    redirect = redirect.concat("?redirect=");
133    
134                                    if (Validator.isNotNull(autoLoginRedirect)) {
135                                            redirect = redirect.concat(autoLoginRedirect);
136                                    }
137                                    else {
138                                            redirect = redirect.concat(
139                                                    PortalUtil.getCurrentCompleteURL(request));
140                                    }
141                            }
142    
143                            response.sendRedirect(redirect);
144                    }
145    
146                    return jUsername;
147            }
148    
149            @Override
150            protected void processFilter(
151                            HttpServletRequest request, HttpServletResponse response,
152                            FilterChain filterChain)
153                    throws Exception {
154    
155                    HttpSession session = request.getSession();
156    
157                    String host = PortalUtil.getHost(request);
158    
159                    if (PortalInstances.isAutoLoginIgnoreHost(host)) {
160                            if (_log.isDebugEnabled()) {
161                                    _log.debug("Ignore host " + host);
162                            }
163    
164                            processFilter(
165                                    AutoLoginFilter.class, request, response, filterChain);
166    
167                            return;
168                    }
169    
170                    String contextPath = PortalUtil.getPathContext();
171    
172                    String path = StringUtil.toLowerCase(request.getRequestURI());
173    
174                    if (!contextPath.equals(StringPool.SLASH) &&
175                            path.contains(contextPath)) {
176    
177                            path = path.substring(contextPath.length());
178                    }
179    
180                    if (PortalInstances.isAutoLoginIgnorePath(path)) {
181                            if (_log.isDebugEnabled()) {
182                                    _log.debug("Ignore path " + path);
183                            }
184    
185                            processFilter(
186                                    AutoLoginFilter.class, request, response, filterChain);
187    
188                            return;
189                    }
190    
191                    String remoteUser = request.getRemoteUser();
192                    String jUserName = (String)session.getAttribute("j_username");
193    
194                    // PLACEHOLDER 01
195                    // PLACEHOLDER 02
196                    // PLACEHOLDER 03
197                    // PLACEHOLDER 04
198                    // PLACEHOLDER 05
199    
200                    if (!PropsValues.AUTH_LOGIN_DISABLED &&
201                            (remoteUser == null) && (jUserName == null)) {
202    
203                            for (AutoLogin autoLogin : _autoLogins) {
204                                    try {
205                                            String[] credentials = autoLogin.login(request, response);
206    
207                                            String redirect = (String)request.getAttribute(
208                                                    AutoLogin.AUTO_LOGIN_REDIRECT);
209    
210                                            if (Validator.isNotNull(redirect)) {
211                                                    response.sendRedirect(redirect);
212    
213                                                    return;
214                                            }
215    
216                                            String loginRemoteUser = getLoginRemoteUser(
217                                                    request, response, session, credentials);
218    
219                                            if (loginRemoteUser != null) {
220                                                    request = new ProtectedServletRequest(
221                                                            request, loginRemoteUser);
222    
223                                                    if (PropsValues.PORTAL_JAAS_ENABLE) {
224                                                            return;
225                                                    }
226    
227                                                    if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
228                                                            redirect = Portal.PATH_MAIN;
229                                                    }
230                                                    else {
231                                                            redirect = (String)request.getAttribute(
232                                                                    AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
233                                                    }
234    
235                                                    if (Validator.isNotNull(redirect)) {
236                                                            response.sendRedirect(redirect);
237    
238                                                            return;
239                                                    }
240                                            }
241                                    }
242                                    catch (Exception e) {
243                                            StringBundler sb = new StringBundler(4);
244    
245                                            sb.append("Current URL ");
246    
247                                            String currentURL = PortalUtil.getCurrentURL(request);
248    
249                                            sb.append(currentURL);
250    
251                                            sb.append(" generates exception: ");
252                                            sb.append(e.getMessage());
253    
254                                            if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
255                                                    if (_log.isWarnEnabled()) {
256                                                            _log.warn(sb.toString());
257                                                    }
258                                            }
259                                            else {
260                                                    _log.error(sb.toString());
261                                            }
262                                    }
263                            }
264                    }
265    
266                    processFilter(AutoLoginFilter.class, request, response, filterChain);
267            }
268    
269            private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
270    
271            private static final Log _log = LogFactoryUtil.getLog(
272                    AutoLoginFilter.class);
273    
274            private static final List<AutoLogin> _autoLogins =
275                    new CopyOnWriteArrayList<>();
276    
277            private final ServiceTracker<?, AutoLogin> _serviceTracker;
278    
279            private class AutoLoginServiceTrackerCustomizer
280                    implements ServiceTrackerCustomizer<AutoLogin, AutoLogin> {
281    
282                    @Override
283                    public AutoLogin addingService(
284                            ServiceReference<AutoLogin> serviceReference) {
285    
286                            Registry registry = RegistryUtil.getRegistry();
287    
288                            AutoLogin autoLogin = registry.getService(serviceReference);
289    
290                            if (autoLogin == null) {
291                                    return null;
292                            }
293    
294                            _autoLogins.add(autoLogin);
295    
296                            return autoLogin;
297                    }
298    
299                    @Override
300                    public void modifiedService(
301                            ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
302                    }
303    
304                    @Override
305                    public void removedService(
306                            ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
307    
308                            Registry registry = RegistryUtil.getRegistry();
309    
310                            registry.ungetService(serviceReference);
311    
312                            _autoLogins.remove(autoLogin);
313                    }
314    
315            }
316    
317    }