001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.io.ProtectedObjectInputStream;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.security.access.control.AccessControlThreadLocal;
023    import com.liferay.portal.kernel.util.MethodHandler;
024    import com.liferay.portal.kernel.util.MethodKey;
025    import com.liferay.portal.kernel.util.ObjectValuePair;
026    import com.liferay.portal.security.auth.HttpPrincipal;
027    import com.liferay.portal.util.PortalUtil;
028    
029    import java.io.IOException;
030    import java.io.ObjectInputStream;
031    import java.io.ObjectOutputStream;
032    
033    import java.lang.reflect.InvocationTargetException;
034    
035    import javax.servlet.ServletException;
036    import javax.servlet.http.HttpServlet;
037    import javax.servlet.http.HttpServletRequest;
038    import javax.servlet.http.HttpServletResponse;
039    
040    /**
041     * @author Michael Weisser
042     * @author Brian Wing Shun Chan
043     */
044    public class TunnelServlet extends HttpServlet {
045    
046            @Override
047            public void doPost(HttpServletRequest request, HttpServletResponse response)
048                    throws IOException {
049    
050                    ObjectInputStream ois = null;
051    
052                    try {
053                            ois = new ProtectedObjectInputStream(request.getInputStream());
054                    }
055                    catch (IOException ioe) {
056                            if (_log.isWarnEnabled()) {
057                                    _log.warn(ioe, ioe);
058                            }
059    
060                            return;
061                    }
062    
063                    Object returnObj = null;
064    
065                    boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
066    
067                    try {
068                            AccessControlThreadLocal.setRemoteAccess(true);
069    
070                            ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
071                                    (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
072    
073                            MethodHandler methodHandler = ovp.getValue();
074    
075                            if (methodHandler != null) {
076                                    MethodKey methodKey = methodHandler.getMethodKey();
077    
078                                    if (!isValidRequest(methodKey.getDeclaringClass())) {
079                                            return;
080                                    }
081    
082                                    returnObj = methodHandler.invoke();
083                            }
084                    }
085                    catch (InvocationTargetException ite) {
086                            returnObj = ite.getCause();
087    
088                            if (!(returnObj instanceof PortalException)) {
089                                    _log.error(ite, ite);
090    
091                                    if (returnObj != null) {
092                                            Throwable throwable = (Throwable)returnObj;
093    
094                                            returnObj = new SystemException(throwable.getMessage());
095                                    }
096                                    else {
097                                            returnObj = new SystemException();
098                                    }
099                            }
100                    }
101                    catch (Exception e) {
102                            _log.error(e, e);
103                    }
104                    finally {
105                            AccessControlThreadLocal.setRemoteAccess(remoteAccess);
106                    }
107    
108                    if (returnObj != null) {
109                            try (ObjectOutputStream oos = new ObjectOutputStream(
110                                            response.getOutputStream())) {
111    
112                                    oos.writeObject(returnObj);
113                            }
114                            catch (IOException ioe) {
115                                    _log.error(ioe, ioe);
116    
117                                    throw ioe;
118                            }
119                    }
120            }
121    
122            @Override
123            protected void doGet(
124                            HttpServletRequest request, HttpServletResponse response)
125                    throws IOException, ServletException {
126    
127                    PortalUtil.sendError(
128                            HttpServletResponse.SC_NOT_FOUND,
129                            new IllegalArgumentException("The GET method is not supported"),
130                            request, response);
131            }
132    
133            protected boolean isValidRequest(Class<?> clazz) {
134                    String className = clazz.getName();
135    
136                    if (className.contains(".service.") &&
137                            className.endsWith("ServiceUtil") &&
138                            !className.endsWith("LocalServiceUtil")) {
139    
140                            return true;
141                    }
142                    else {
143                            return false;
144                    }
145            }
146    
147            private static final Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
148    
149    }