001
014
015 package com.liferay.portal.servlet.filters.authverifier;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
020 import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
021 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.Http;
024 import com.liferay.portal.kernel.util.HttpUtil;
025 import com.liferay.portal.kernel.util.MapUtil;
026 import com.liferay.portal.kernel.util.StringBundler;
027 import com.liferay.portal.kernel.util.StringPool;
028 import com.liferay.portal.kernel.util.StringUtil;
029 import com.liferay.portal.kernel.util.Validator;
030 import com.liferay.portal.security.auth.AccessControlContext;
031 import com.liferay.portal.security.auth.AuthVerifierPipeline;
032 import com.liferay.portal.servlet.filters.BasePortalFilter;
033 import com.liferay.portal.util.PropsUtil;
034
035 import java.io.IOException;
036
037 import java.util.Enumeration;
038 import java.util.HashMap;
039 import java.util.HashSet;
040 import java.util.Map;
041 import java.util.Properties;
042 import java.util.Set;
043
044 import javax.servlet.FilterChain;
045 import javax.servlet.FilterConfig;
046 import javax.servlet.http.HttpServletRequest;
047 import javax.servlet.http.HttpServletResponse;
048
049
057 public class AuthVerifierFilter extends BasePortalFilter {
058
059 @Override
060 public void init(FilterConfig filterConfig) {
061 super.init(filterConfig);
062
063 Enumeration<String> enu = filterConfig.getInitParameterNames();
064
065 while (enu.hasMoreElements()) {
066 String name = enu.nextElement();
067
068 String value = filterConfig.getInitParameter(name);
069
070 _initParametersMap.put(name, value);
071 }
072
073 String portalPropertyPrefix = GetterUtil.getString(
074 _initParametersMap.get("portal_property_prefix"));
075
076 if (Validator.isNotNull(portalPropertyPrefix)) {
077 Properties properties = PropsUtil.getProperties(
078 portalPropertyPrefix, true);
079
080 for (Object name : properties.keySet()) {
081 Object value = properties.get(name);
082
083 _initParametersMap.put((String)name, value);
084 }
085 }
086
087 if (_initParametersMap.containsKey("hosts.allowed")) {
088 String hostsAllowedString = (String)_initParametersMap.get(
089 "hosts.allowed");
090
091 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
092
093 for (String hostAllowed : hostsAllowed) {
094 _hostsAllowed.add(hostAllowed);
095 }
096
097 _initParametersMap.remove("hosts.allowed");
098 }
099
100 if (_initParametersMap.containsKey("https.required")) {
101 _httpsRequired = GetterUtil.getBoolean(
102 _initParametersMap.get("https.required"));
103
104 _initParametersMap.remove("https.required");
105 }
106
107 if (_initParametersMap.containsKey("use_permission_checker")) {
108 _initParametersMap.remove("use_permission_checker");
109
110 if (_log.isWarnEnabled()) {
111 _log.warn("use_permission_checker is deprecated");
112 }
113 }
114 }
115
116 @Override
117 protected void processFilter(
118 HttpServletRequest request, HttpServletResponse response,
119 FilterChain filterChain)
120 throws Exception {
121
122 if (!_isAccessAllowed(request, response)) {
123 return;
124 }
125
126 if (_isApplySSL(request, response)) {
127 return;
128 }
129
130 AccessControlUtil.initAccessControlContext(
131 request, response, _initParametersMap);
132
133 AuthVerifierResult.State state = AccessControlUtil.verifyRequest();
134
135 AccessControlContext accessControlContext =
136 AccessControlUtil.getAccessControlContext();
137
138 AuthVerifierResult authVerifierResult =
139 accessControlContext.getAuthVerifierResult();
140
141 if (_log.isDebugEnabled()) {
142 _log.debug("Auth verifier result " + authVerifierResult);
143 }
144
145 if (state == AuthVerifierResult.State.INVALID_CREDENTIALS) {
146 if (_log.isDebugEnabled()) {
147 _log.debug("Result state doesn't allow us to continue.");
148 }
149 }
150 else if (state == AuthVerifierResult.State.NOT_APPLICABLE) {
151 _log.error("Invalid state " + state);
152 }
153 else if (state == AuthVerifierResult.State.SUCCESS) {
154 long userId = authVerifierResult.getUserId();
155
156 AccessControlUtil.initContextUser(userId);
157
158 String authType = MapUtil.getString(
159 accessControlContext.getSettings(),
160 AuthVerifierPipeline.AUTH_TYPE);
161
162 ProtectedServletRequest protectedServletRequest =
163 new ProtectedServletRequest(
164 request, String.valueOf(userId), authType);
165
166 accessControlContext.setRequest(protectedServletRequest);
167
168 processFilter(
169 getClass(), protectedServletRequest, response, filterChain);
170 }
171 else {
172 _log.error("Unimplemented state " + state);
173 }
174 }
175
176 private boolean _isAccessAllowed(
177 HttpServletRequest request, HttpServletResponse response)
178 throws IOException {
179
180 String remoteAddr = request.getRemoteAddr();
181
182 if (AccessControlUtil.isAccessAllowed(request, _hostsAllowed)) {
183 if (_log.isDebugEnabled()) {
184 _log.debug("Access allowed for " + remoteAddr);
185 }
186
187 return true;
188 }
189
190 if (_log.isWarnEnabled()) {
191 _log.warn("Access denied for " + remoteAddr);
192 }
193
194 response.sendError(
195 HttpServletResponse.SC_FORBIDDEN,
196 "Access denied for " + remoteAddr);
197
198 return false;
199 }
200
201 private boolean _isApplySSL(
202 HttpServletRequest request, HttpServletResponse response)
203 throws IOException {
204
205 if (!_httpsRequired || request.isSecure()) {
206 return false;
207 }
208
209 if (_log.isDebugEnabled()) {
210 String completeURL = HttpUtil.getCompleteURL(request);
211
212 _log.debug("Securing " + completeURL);
213 }
214
215 StringBundler redirectURL = new StringBundler(5);
216
217 redirectURL.append(Http.HTTPS_WITH_SLASH);
218 redirectURL.append(request.getServerName());
219 redirectURL.append(request.getServletPath());
220
221 String queryString = request.getQueryString();
222
223 if (Validator.isNotNull(queryString)) {
224 redirectURL.append(StringPool.QUESTION);
225 redirectURL.append(request.getQueryString());
226 }
227
228 if (_log.isDebugEnabled()) {
229 _log.debug("Redirect to " + redirectURL);
230 }
231
232 response.sendRedirect(redirectURL.toString());
233
234 return true;
235 }
236
237 private static final Log _log = LogFactoryUtil.getLog(
238 AuthVerifierFilter.class.getName());
239
240 private final Set<String> _hostsAllowed = new HashSet<>();
241 private boolean _httpsRequired;
242 private final Map<String, Object> _initParametersMap = new HashMap<>();
243
244 }