001
014
015 package com.liferay.portal.servlet.filters.autologin;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
020 import com.liferay.portal.kernel.security.auto.login.AutoLogin;
021 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.StringBundler;
024 import com.liferay.portal.kernel.util.StringPool;
025 import com.liferay.portal.kernel.util.StringUtil;
026 import com.liferay.portal.kernel.util.Validator;
027 import com.liferay.portal.kernel.util.WebKeys;
028 import com.liferay.portal.model.User;
029 import com.liferay.portal.security.pwd.PasswordEncryptorUtil;
030 import com.liferay.portal.service.UserLocalServiceUtil;
031 import com.liferay.portal.servlet.filters.BasePortalFilter;
032 import com.liferay.portal.util.Portal;
033 import com.liferay.portal.util.PortalInstances;
034 import com.liferay.portal.util.PortalUtil;
035 import com.liferay.portal.util.PropsValues;
036 import com.liferay.registry.Registry;
037 import com.liferay.registry.RegistryUtil;
038 import com.liferay.registry.ServiceReference;
039 import com.liferay.registry.ServiceTracker;
040 import com.liferay.registry.ServiceTrackerCustomizer;
041
042 import java.util.List;
043 import java.util.concurrent.CopyOnWriteArrayList;
044
045 import javax.servlet.FilterChain;
046 import javax.servlet.http.HttpServletRequest;
047 import javax.servlet.http.HttpServletResponse;
048 import javax.servlet.http.HttpSession;
049
050
055 public class AutoLoginFilter extends BasePortalFilter {
056
057 public AutoLoginFilter() {
058 Registry registry = RegistryUtil.getRegistry();
059
060 _serviceTracker = registry.trackServices(
061 AutoLogin.class, new AutoLoginServiceTrackerCustomizer());
062
063 _serviceTracker.open();
064 }
065
066 protected String getLoginRemoteUser(
067 HttpServletRequest request, HttpServletResponse response,
068 HttpSession session, String[] credentials)
069 throws Exception {
070
071 if ((credentials == null) || (credentials.length != 3)) {
072 return null;
073 }
074
075 String jUsername = credentials[0];
076 String jPassword = credentials[1];
077 boolean encPassword = GetterUtil.getBoolean(credentials[2]);
078
079 if (Validator.isNull(jUsername) || Validator.isNull(jPassword)) {
080 return null;
081 }
082
083 long userId = GetterUtil.getLong(jUsername);
084
085 if (userId <= 0) {
086 return null;
087 }
088
089 User user = UserLocalServiceUtil.fetchUserById(userId);
090
091 if ((user == null) || user.isLockout()) {
092 return null;
093 }
094
095 if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
096 AuthenticatedSessionManagerUtil.signOutSimultaneousLogins(userId);
097 }
098
099 if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
100 session = AuthenticatedSessionManagerUtil.renewSession(
101 request, session);
102 }
103
104 session.setAttribute("j_username", jUsername);
105
106
107
108
109 if (encPassword) {
110 session.setAttribute("j_password", jPassword);
111 }
112 else {
113 session.setAttribute(
114 "j_password",
115 PasswordEncryptorUtil.encrypt(jPassword, user.getPassword()));
116
117 if (PropsValues.SESSION_STORE_PASSWORD) {
118 session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
119 }
120 }
121
122 session.setAttribute("j_remoteuser", jUsername);
123
124 if (PropsValues.PORTAL_JAAS_ENABLE) {
125 String redirect = PortalUtil.getPathMain().concat(
126 "/portal/protected");
127
128 if (PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
129 String autoLoginRedirect = (String)request.getAttribute(
130 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
131
132 redirect = redirect.concat("?redirect=");
133
134 if (Validator.isNotNull(autoLoginRedirect)) {
135 redirect = redirect.concat(autoLoginRedirect);
136 }
137 else {
138 redirect = redirect.concat(
139 PortalUtil.getCurrentCompleteURL(request));
140 }
141 }
142
143 response.sendRedirect(redirect);
144 }
145
146 return jUsername;
147 }
148
149 @Override
150 protected void processFilter(
151 HttpServletRequest request, HttpServletResponse response,
152 FilterChain filterChain)
153 throws Exception {
154
155 HttpSession session = request.getSession();
156
157 String host = PortalUtil.getHost(request);
158
159 if (PortalInstances.isAutoLoginIgnoreHost(host)) {
160 if (_log.isDebugEnabled()) {
161 _log.debug("Ignore host " + host);
162 }
163
164 processFilter(
165 AutoLoginFilter.class.getName(), request, response,
166 filterChain);
167
168 return;
169 }
170
171 String contextPath = PortalUtil.getPathContext();
172
173 String path = StringUtil.toLowerCase(request.getRequestURI());
174
175 if (!contextPath.equals(StringPool.SLASH) &&
176 path.contains(contextPath)) {
177
178 path = path.substring(contextPath.length());
179 }
180
181 if (PortalInstances.isAutoLoginIgnorePath(path)) {
182 if (_log.isDebugEnabled()) {
183 _log.debug("Ignore path " + path);
184 }
185
186 processFilter(
187 AutoLoginFilter.class.getName(), request, response,
188 filterChain);
189
190 return;
191 }
192
193 String remoteUser = request.getRemoteUser();
194 String jUserName = (String)session.getAttribute("j_username");
195
196
197
198
199
200
201
202 if (!PropsValues.AUTH_LOGIN_DISABLED &&
203 (remoteUser == null) && (jUserName == null)) {
204
205 for (AutoLogin autoLogin : _autoLogins) {
206 try {
207 String[] credentials = autoLogin.login(request, response);
208
209 String redirect = (String)request.getAttribute(
210 AutoLogin.AUTO_LOGIN_REDIRECT);
211
212 if (Validator.isNotNull(redirect)) {
213 response.sendRedirect(redirect);
214
215 return;
216 }
217
218 String loginRemoteUser = getLoginRemoteUser(
219 request, response, session, credentials);
220
221 if (loginRemoteUser != null) {
222 request = new ProtectedServletRequest(
223 request, loginRemoteUser);
224
225 if (PropsValues.PORTAL_JAAS_ENABLE) {
226 return;
227 }
228
229 if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
230 redirect = Portal.PATH_MAIN;
231 }
232 else {
233 redirect = (String)request.getAttribute(
234 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
235 }
236
237 if (Validator.isNotNull(redirect)) {
238 response.sendRedirect(redirect);
239
240 return;
241 }
242 }
243 }
244 catch (Exception e) {
245 StringBundler sb = new StringBundler(4);
246
247 sb.append("Current URL ");
248
249 String currentURL = PortalUtil.getCurrentURL(request);
250
251 sb.append(currentURL);
252
253 sb.append(" generates exception: ");
254 sb.append(e.getMessage());
255
256 if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
257 if (_log.isWarnEnabled()) {
258 _log.warn(sb.toString());
259 }
260 }
261 else {
262 _log.error(sb.toString());
263 }
264 }
265 }
266 }
267
268 processFilter(
269 AutoLoginFilter.class.getName(), request, response, filterChain);
270 }
271
272 private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
273
274 private static final Log _log = LogFactoryUtil.getLog(
275 AutoLoginFilter.class);
276
277 private static final List<AutoLogin> _autoLogins =
278 new CopyOnWriteArrayList<>();
279
280 private final ServiceTracker<?, AutoLogin> _serviceTracker;
281
282 private class AutoLoginServiceTrackerCustomizer
283 implements ServiceTrackerCustomizer<AutoLogin, AutoLogin> {
284
285 @Override
286 public AutoLogin addingService(
287 ServiceReference<AutoLogin> serviceReference) {
288
289 Registry registry = RegistryUtil.getRegistry();
290
291 AutoLogin autoLogin = registry.getService(serviceReference);
292
293 if (autoLogin == null) {
294 return null;
295 }
296
297 _autoLogins.add(autoLogin);
298
299 return autoLogin;
300 }
301
302 @Override
303 public void modifiedService(
304 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
305 }
306
307 @Override
308 public void removedService(
309 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
310
311 Registry registry = RegistryUtil.getRegistry();
312
313 registry.ungetService(serviceReference);
314
315 _autoLogins.remove(autoLogin);
316 }
317
318 }
319
320 }