001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.GetterUtil;
018    import com.liferay.portal.kernel.util.ParamUtil;
019    import com.liferay.portal.kernel.util.PwdGenerator;
020    import com.liferay.portal.kernel.util.Validator;
021    import com.liferay.portal.kernel.util.WebKeys;
022    import com.liferay.portal.service.permission.PortletPermissionUtil;
023    import com.liferay.portal.util.PortalUtil;
024    import com.liferay.portal.util.PropsValues;
025    import com.liferay.portlet.SecurityPortletContainerWrapper;
026    
027    import javax.servlet.http.HttpServletRequest;
028    import javax.servlet.http.HttpServletRequestWrapper;
029    import javax.servlet.http.HttpSession;
030    
031    /**
032     * @author Amos Fong
033     */
034    public class SessionAuthToken implements AuthToken {
035    
036            /**
037             * @deprecated As of 7.0.0
038             */
039            @Deprecated
040            @Override
041            public void check(HttpServletRequest request) throws PrincipalException {
042                    checkCSRFToken(
043                            request, SecurityPortletContainerWrapper.class.getName());
044            }
045    
046            @Override
047            public void checkCSRFToken(HttpServletRequest request, String origin)
048                    throws PrincipalException {
049    
050                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
051                            return;
052                    }
053    
054                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
055    
056                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
057                            return;
058                    }
059    
060                    long companyId = PortalUtil.getCompanyId(request);
061    
062                    if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
063                                    companyId, origin)) {
064    
065                            return;
066                    }
067    
068                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
069                            String ppid = ParamUtil.getString(request, "p_p_id");
070    
071                            String portletNamespace = PortalUtil.getPortletNamespace(ppid);
072    
073                            String strutsAction = ParamUtil.getString(
074                                    request, portletNamespace + "struts_action");
075    
076                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
077                                            companyId, ppid, strutsAction)) {
078    
079                                    return;
080                            }
081                    }
082    
083                    String csrfToken = ParamUtil.getString(request, "p_auth");
084    
085                    if (Validator.isNull(csrfToken)) {
086                            csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
087                    }
088    
089                    String sessionToken = getSessionAuthenticationToken(
090                            request, _CSRF, false);
091    
092                    if (!csrfToken.equals(sessionToken)) {
093                            throw new PrincipalException.MustBeAuthenticated(
094                                    PortalUtil.getUserId(request));
095                    }
096            }
097    
098            @Override
099            public String getToken(HttpServletRequest request) {
100                    return getSessionAuthenticationToken(request, _CSRF, true);
101            }
102    
103            @Override
104            public String getToken(
105                    HttpServletRequest request, long plid, String portletId) {
106    
107                    return getSessionAuthenticationToken(
108                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
109                            true);
110            }
111    
112            @Override
113            public boolean isValidPortletInvocationToken(
114                    HttpServletRequest request, long plid, String portletId,
115                    String strutsAction, String tokenValue) {
116    
117                    long companyId = PortalUtil.getCompanyId(request);
118    
119                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
120                                    companyId, portletId, strutsAction)) {
121    
122                            return true;
123                    }
124    
125                    if (Validator.isNotNull(tokenValue)) {
126                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
127    
128                            String sessionToken = getSessionAuthenticationToken(
129                                    request, key, false);
130    
131                            if (Validator.isNotNull(sessionToken) &&
132                                    sessionToken.equals(tokenValue)) {
133    
134                                    return true;
135                            }
136                    }
137    
138                    return false;
139            }
140    
141            protected String getSessionAuthenticationToken(
142                    HttpServletRequest request, String key, boolean createToken) {
143    
144                    String sessionAuthenticationToken = null;
145    
146                    HttpServletRequest currentRequest = request;
147                    HttpSession session = null;
148                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
149    
150                    while (currentRequest instanceof HttpServletRequestWrapper) {
151                            HttpServletRequestWrapper httpServletRequestWrapper =
152                                    (HttpServletRequestWrapper)currentRequest;
153    
154                            session = currentRequest.getSession();
155    
156                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
157    
158                            if (Validator.isNotNull(sessionAuthenticationToken)) {
159                                    break;
160                            }
161    
162                            currentRequest =
163                                    (HttpServletRequest)httpServletRequestWrapper.getRequest();
164                    }
165    
166                    if (session == null ) {
167                            session = currentRequest.getSession();
168    
169                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
170                    }
171    
172                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
173                            sessionAuthenticationToken = PwdGenerator.getPassword(
174                                    PropsValues.AUTH_TOKEN_LENGTH);
175    
176                            session.setAttribute(tokenKey, sessionAuthenticationToken);
177                    }
178    
179                    return sessionAuthenticationToken;
180            }
181    
182            private static final String _CSRF = "#CSRF";
183    
184    }