001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.concurrent.ConcurrentHashSet;
018 import com.liferay.portal.kernel.log.Log;
019 import com.liferay.portal.kernel.log.LogFactoryUtil;
020 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
021 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
022 import com.liferay.portal.kernel.util.CharPool;
023 import com.liferay.portal.kernel.util.ParamUtil;
024 import com.liferay.portal.kernel.util.PropsKeys;
025 import com.liferay.portal.kernel.util.Validator;
026 import com.liferay.portal.model.Layout;
027 import com.liferay.portal.model.Portlet;
028 import com.liferay.portal.model.PortletConstants;
029 import com.liferay.portal.service.LayoutLocalServiceUtil;
030 import com.liferay.portal.service.PortletLocalServiceUtil;
031 import com.liferay.portal.util.PortalUtil;
032
033 import java.util.Set;
034
035 import javax.servlet.http.HttpServletRequest;
036
037
040 @DoPrivileged
041 public class StrutsPortletAuthTokenWhitelist extends BaseAuthTokenWhitelist {
042
043 public StrutsPortletAuthTokenWhitelist() {
044 trackWhitelistServices(
045 PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS, _portletCSRFWhitelist);
046
047 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS);
048
049 trackWhitelistServices(
050 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS,
051 _portletInvocationWhitelist);
052
053 registerPortalProperty(
054 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
055 }
056
057 @Deprecated
058 @Override
059 public Set<String> getPortletCSRFWhitelistActions() {
060 return _portletCSRFWhitelist;
061 }
062
063 @Deprecated
064 @Override
065 public Set<String> getPortletInvocationWhitelistActions() {
066 return _portletInvocationWhitelist;
067 }
068
069 @Override
070 public boolean isPortletCSRFWhitelisted(
071 HttpServletRequest request, Portlet portlet) {
072
073 String portletId = portlet.getPortletId();
074
075 String namespace = PortalUtil.getPortletNamespace(portletId);
076
077 String strutsAction = ParamUtil.getString(
078 request, namespace + "struts_action");
079
080 String rootPortletId = PortletConstants.getRootPortletId(portletId);
081
082 if (Validator.isNotNull(strutsAction)) {
083 if (_portletCSRFWhitelist.contains(strutsAction) &&
084 isValidStrutsAction(
085 portlet.getCompanyId(), rootPortletId, strutsAction)) {
086
087 return true;
088 }
089 }
090
091 return false;
092 }
093
094 @Override
095 public boolean isPortletInvocationWhitelisted(
096 HttpServletRequest request, Portlet portlet) {
097
098 String portletId = portlet.getPortletId();
099
100 String namespace = PortalUtil.getPortletNamespace(portletId);
101
102 String strutsAction = ParamUtil.getString(
103 request, namespace + "struts_action");
104
105 if (Validator.isNull(strutsAction)) {
106 strutsAction = ParamUtil.getString(request, "struts_action");
107 }
108
109 if (Validator.isNotNull(strutsAction)) {
110 if (_portletInvocationWhitelist.contains(strutsAction) &&
111 isValidStrutsAction(
112 portlet.getCompanyId(), portletId, strutsAction)) {
113
114 return true;
115 }
116 }
117
118 return false;
119 }
120
121 @Override
122 public boolean isPortletURLCSRFWhitelisted(
123 LiferayPortletURL liferayPortletURL) {
124
125 String strutsAction = liferayPortletURL.getParameter("struts_action");
126
127 if (Validator.isBlank(strutsAction)) {
128 return false;
129 }
130
131 if (_portletCSRFWhitelist.contains(strutsAction)) {
132 long companyId = 0;
133
134 long plid = liferayPortletURL.getPlid();
135
136 Layout layout = LayoutLocalServiceUtil.fetchLayout(plid);
137
138 if (layout == null) {
139 if (_log.isDebugEnabled()) {
140 _log.debug("Unable to load layout " + plid);
141 }
142
143 return false;
144 }
145
146 String portletId = liferayPortletURL.getPortletId();
147
148 String rootPortletId = PortletConstants.getRootPortletId(portletId);
149
150 if (isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
151 return true;
152 }
153 }
154
155 return false;
156 }
157
158 @Override
159 public boolean isPortletURLPortletInvocationWhitelisted(
160 LiferayPortletURL liferayPortletURL) {
161
162 String strutsAction = liferayPortletURL.getParameter("struts_action");
163
164 if (Validator.isBlank(strutsAction)) {
165 return false;
166 }
167
168 if (_portletInvocationWhitelist.contains(strutsAction)) {
169 long companyId = 0;
170
171 long plid = liferayPortletURL.getPlid();
172
173 Layout layout = LayoutLocalServiceUtil.fetchLayout(plid);
174
175 if (layout == null) {
176 if (_log.isDebugEnabled()) {
177 _log.debug("Unable to load layout " + plid);
178 }
179
180 return false;
181 }
182
183 String portletId = liferayPortletURL.getPortletId();
184
185 if (isValidStrutsAction(companyId, portletId, strutsAction)) {
186 return true;
187 }
188 }
189
190 return false;
191 }
192
193 protected boolean isValidStrutsAction(
194 long companyId, String portletId, String strutsAction) {
195
196 try {
197 Portlet portlet = PortletLocalServiceUtil.getPortletById(
198 companyId, portletId);
199
200 if (portlet == null) {
201 return false;
202 }
203
204 String strutsPath = strutsAction.substring(
205 1, strutsAction.lastIndexOf(CharPool.SLASH));
206
207 if (strutsPath.equals(portlet.getStrutsPath()) ||
208 strutsPath.equals(portlet.getParentStrutsPath())) {
209
210 return true;
211 }
212 }
213 catch (Exception e) {
214 if (_log.isDebugEnabled()) {
215 _log.debug(e, e);
216 }
217 }
218
219 return false;
220 }
221
222 private static final Log _log = LogFactoryUtil.getLog(
223 StrutsPortletAuthTokenWhitelist.class);
224
225 private final Set<String> _portletCSRFWhitelist = new ConcurrentHashSet<>();
226 private final Set<String> _portletInvocationWhitelist =
227 new ConcurrentHashSet<>();
228
229 }