001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.GetterUtil;
018 import com.liferay.portal.kernel.util.ParamUtil;
019 import com.liferay.portal.kernel.util.PwdGenerator;
020 import com.liferay.portal.kernel.util.Validator;
021 import com.liferay.portal.kernel.util.WebKeys;
022 import com.liferay.portal.service.permission.PortletPermissionUtil;
023 import com.liferay.portal.util.PortalUtil;
024 import com.liferay.portal.util.PropsValues;
025 import com.liferay.portlet.SecurityPortletContainerWrapper;
026
027 import javax.servlet.http.HttpServletRequest;
028 import javax.servlet.http.HttpServletRequestWrapper;
029 import javax.servlet.http.HttpSession;
030
031
034 public class SessionAuthToken implements AuthToken {
035
036
039 @Deprecated
040 @Override
041 public void check(HttpServletRequest request) throws PrincipalException {
042 checkCSRFToken(
043 request, SecurityPortletContainerWrapper.class.getName());
044 }
045
046 @Override
047 public void checkCSRFToken(HttpServletRequest request, String origin)
048 throws PrincipalException {
049
050 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
051 return;
052 }
053
054 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
055
056 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
057 return;
058 }
059
060 long companyId = PortalUtil.getCompanyId(request);
061
062 if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
063 companyId, origin)) {
064
065 return;
066 }
067
068 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
069 String ppid = ParamUtil.getString(request, "p_p_id");
070
071 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
072
073 String strutsAction = ParamUtil.getString(
074 request, portletNamespace + "struts_action");
075
076 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
077 companyId, ppid, strutsAction)) {
078
079 return;
080 }
081 }
082
083 String csrfToken = ParamUtil.getString(request, "p_auth");
084
085 if (Validator.isNull(csrfToken)) {
086 csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
087 }
088
089 String sessionToken = getSessionAuthenticationToken(
090 request, _CSRF, false);
091
092 if (!csrfToken.equals(sessionToken)) {
093 throw new PrincipalException.MustBeAuthenticated(
094 PortalUtil.getUserId(request));
095 }
096 }
097
098 @Override
099 public String getToken(HttpServletRequest request) {
100 return getSessionAuthenticationToken(request, _CSRF, true);
101 }
102
103 @Override
104 public String getToken(
105 HttpServletRequest request, long plid, String portletId) {
106
107 return getSessionAuthenticationToken(
108 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
109 true);
110 }
111
112 @Override
113 public boolean isValidPortletInvocationToken(
114 HttpServletRequest request, long plid, String portletId,
115 String strutsAction, String tokenValue) {
116
117 long companyId = PortalUtil.getCompanyId(request);
118
119 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
120 companyId, portletId, strutsAction)) {
121
122 return true;
123 }
124
125 if (Validator.isNotNull(tokenValue)) {
126 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
127
128 String sessionToken = getSessionAuthenticationToken(
129 request, key, false);
130
131 if (Validator.isNotNull(sessionToken) &&
132 sessionToken.equals(tokenValue)) {
133
134 return true;
135 }
136 }
137
138 return false;
139 }
140
141 protected String getSessionAuthenticationToken(
142 HttpServletRequest request, String key, boolean createToken) {
143
144 String sessionAuthenticationToken = null;
145
146 HttpServletRequest currentRequest = request;
147 HttpSession session = null;
148 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
149
150 while (currentRequest instanceof HttpServletRequestWrapper) {
151 HttpServletRequestWrapper httpServletRequestWrapper =
152 (HttpServletRequestWrapper)currentRequest;
153
154 session = currentRequest.getSession();
155
156 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
157
158 if (Validator.isNotNull(sessionAuthenticationToken)) {
159 break;
160 }
161
162 currentRequest =
163 (HttpServletRequest)httpServletRequestWrapper.getRequest();
164 }
165
166 if (session == null ) {
167 session = currentRequest.getSession();
168
169 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
170 }
171
172 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
173 sessionAuthenticationToken = PwdGenerator.getPassword(
174 PropsValues.AUTH_TOKEN_LENGTH);
175
176 session.setAttribute(tokenKey, sessionAuthenticationToken);
177 }
178
179 return sessionAuthenticationToken;
180 }
181
182 private static final String _CSRF = "#CSRF";
183
184 }