001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.struts;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.json.JSONFactoryUtil;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
022    import com.liferay.portal.kernel.servlet.HttpHeaders;
023    import com.liferay.portal.kernel.servlet.ServletContextPool;
024    import com.liferay.portal.kernel.util.ClassUtil;
025    import com.liferay.portal.kernel.util.ContentTypes;
026    import com.liferay.portal.kernel.util.GetterUtil;
027    import com.liferay.portal.kernel.util.ParamUtil;
028    import com.liferay.portal.kernel.util.SetUtil;
029    import com.liferay.portal.kernel.util.StringBundler;
030    import com.liferay.portal.kernel.util.StringPool;
031    import com.liferay.portal.kernel.util.Validator;
032    import com.liferay.portal.kernel.util.WebKeys;
033    import com.liferay.portal.security.auth.AuthTokenUtil;
034    import com.liferay.portal.servlet.SharedSessionServletRequest;
035    import com.liferay.portal.util.PortalUtil;
036    import com.liferay.portal.util.PropsValues;
037    
038    import java.io.OutputStream;
039    
040    import java.util.Set;
041    
042    import javax.servlet.RequestDispatcher;
043    import javax.servlet.ServletContext;
044    import javax.servlet.http.HttpServletRequest;
045    import javax.servlet.http.HttpServletResponse;
046    
047    import org.apache.struts.action.Action;
048    import org.apache.struts.action.ActionForm;
049    import org.apache.struts.action.ActionForward;
050    import org.apache.struts.action.ActionMapping;
051    
052    /**
053     * @author Ming-Gih Lam
054     * @author Brian Wing Shun Chan
055     * @author Tomas Polesovsky
056     */
057    public abstract class JSONAction extends Action {
058    
059            @Override
060            public ActionForward execute(
061                            ActionMapping actionMapping, ActionForm actionForm,
062                            HttpServletRequest request, HttpServletResponse response)
063                    throws Exception {
064    
065                    if (rerouteExecute(request, response)) {
066                            return null;
067                    }
068    
069                    String callback = ParamUtil.getString(request, "callback");
070    
071                    String json = null;
072    
073                    try {
074                            checkAuthToken(request);
075    
076                            json = getJSON(actionMapping, actionForm, request, response);
077    
078                            if (Validator.isNotNull(callback)) {
079                                    StringBundler sb = new StringBundler(5);
080    
081                                    sb.append("/**/");
082                                    sb.append(callback);
083                                    sb.append(StringPool.OPEN_PARENTHESIS);
084                                    sb.append(json);
085                                    sb.append(StringPool.CLOSE_PARENTHESIS);
086    
087                                    json = sb.toString();
088                            }
089                    }
090                    catch (SecurityException se) {
091                            if (_log.isWarnEnabled()) {
092                                    _log.warn(se.getMessage());
093                            }
094    
095                            json = JSONFactoryUtil.serializeThrowable(se);
096                    }
097                    catch (Exception e) {
098                            _log.error(e, e);
099    
100                            PortalUtil.sendError(
101                                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
102                                    response);
103    
104                            return null;
105                    }
106    
107                    boolean refresh = ParamUtil.getBoolean(request, "refresh");
108    
109                    if (refresh) {
110                            return actionMapping.findForward(ActionConstants.COMMON_REFERER);
111                    }
112                    else if (Validator.isNotNull(json)) {
113                            response.setCharacterEncoding(StringPool.UTF8);
114                            response.setContentType(ContentTypes.APPLICATION_JSON);
115                            response.setHeader(
116                                    HttpHeaders.CACHE_CONTROL,
117                                    HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
118    
119                            try (OutputStream outputStream = response.getOutputStream()) {
120                                    byte[] bytes = json.getBytes(StringPool.UTF8);
121    
122                                    outputStream.write(bytes);
123                            }
124                    }
125    
126                    return null;
127            }
128    
129            public abstract String getJSON(
130                            ActionMapping actionMapping, ActionForm actionForm,
131                            HttpServletRequest request, HttpServletResponse response)
132                    throws Exception;
133    
134            public void setServletContext(ServletContext servletContext) {
135                    _servletContext = servletContext;
136            }
137    
138            protected void checkAuthToken(HttpServletRequest request)
139                    throws PortalException {
140    
141                    String authType = GetterUtil.getString(request.getAuthType());
142    
143                    // Support for the legacy JSON API at /c/portal/json_service
144    
145                    if (AccessControlUtil.getAccessControlContext() == null) {
146                            if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
147                                    authType.equals(HttpServletRequest.DIGEST_AUTH)) {
148    
149                                    return;
150                            }
151                    }
152                    else {
153    
154                            // The new web service should only check auth tokens when the user
155                            // is authenticated using portal session cookies
156    
157                            if (!authType.equals(HttpServletRequest.FORM_AUTH)) {
158                                    return;
159                            }
160                    }
161    
162                    if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
163                            if (!AccessControlUtil.isAccessAllowed(request, _hostsAllowed)) {
164                                    AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
165                            }
166                    }
167            }
168    
169            protected String getCSRFOrigin(HttpServletRequest request) {
170                    return ClassUtil.getClassName(this);
171            }
172    
173            protected String getReroutePath() {
174                    return null;
175            }
176    
177            protected boolean rerouteExecute(
178                            HttpServletRequest request, HttpServletResponse response)
179                    throws Exception {
180    
181                    String reroutePath = getReroutePath();
182    
183                    if (Validator.isNull(reroutePath)) {
184                            return false;
185                    }
186    
187                    String requestServletContextName = ParamUtil.getString(
188                            request, "servletContextName");
189    
190                    if (Validator.isNull(requestServletContextName)) {
191                            return false;
192                    }
193    
194                    ServletContext servletContext = _servletContext;
195    
196                    if (servletContext == null) {
197                            servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
198                    }
199    
200                    String servletContextName = GetterUtil.getString(
201                            servletContext.getServletContextName());
202    
203                    if (servletContextName.equals(requestServletContextName)) {
204                            return false;
205                    }
206    
207                    ServletContext requestServletContext = ServletContextPool.get(
208                            requestServletContextName);
209    
210                    if (requestServletContext == null) {
211                            return false;
212                    }
213    
214                    RequestDispatcher requestDispatcher =
215                            requestServletContext.getRequestDispatcher(reroutePath);
216    
217                    if (requestDispatcher == null) {
218                            return false;
219                    }
220    
221                    requestDispatcher.forward(
222                            new SharedSessionServletRequest(request, true), response);
223    
224                    return true;
225            }
226    
227            private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
228    
229            private final Set<String> _hostsAllowed = SetUtil.fromArray(
230                    PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
231            private ServletContext _servletContext;
232    
233    }