001
014
015 package com.liferay.portal.servlet;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.exception.SystemException;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.security.access.control.AccessControlThreadLocal;
022 import com.liferay.portal.kernel.util.MethodHandler;
023 import com.liferay.portal.kernel.util.MethodKey;
024 import com.liferay.portal.kernel.util.ObjectValuePair;
025 import com.liferay.portal.kernel.util.ProtectedClassLoaderObjectInputStream;
026 import com.liferay.portal.security.auth.HttpPrincipal;
027 import com.liferay.portal.util.PortalUtil;
028
029 import java.io.IOException;
030 import java.io.ObjectInputStream;
031 import java.io.ObjectOutputStream;
032
033 import java.lang.reflect.InvocationTargetException;
034
035 import javax.servlet.ServletException;
036 import javax.servlet.http.HttpServlet;
037 import javax.servlet.http.HttpServletRequest;
038 import javax.servlet.http.HttpServletResponse;
039
040
044 public class TunnelServlet extends HttpServlet {
045
046 @Override
047 public void doPost(HttpServletRequest request, HttpServletResponse response)
048 throws IOException {
049
050 ObjectInputStream ois = null;
051
052 Thread thread = Thread.currentThread();
053
054 try {
055 ois = new ProtectedClassLoaderObjectInputStream(
056 request.getInputStream(), thread.getContextClassLoader());
057 }
058 catch (IOException ioe) {
059 if (_log.isWarnEnabled()) {
060 _log.warn(ioe, ioe);
061 }
062
063 return;
064 }
065
066 Object returnObj = null;
067
068 boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
069
070 try {
071 AccessControlThreadLocal.setRemoteAccess(true);
072
073 ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
074 (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
075
076 MethodHandler methodHandler = ovp.getValue();
077
078 if (methodHandler != null) {
079 MethodKey methodKey = methodHandler.getMethodKey();
080
081 if (!isValidRequest(methodKey.getDeclaringClass())) {
082 return;
083 }
084
085 returnObj = methodHandler.invoke();
086 }
087 }
088 catch (InvocationTargetException ite) {
089 returnObj = ite.getCause();
090
091 if (!(returnObj instanceof PortalException)) {
092 _log.error(ite, ite);
093
094 if (returnObj != null) {
095 Throwable throwable = (Throwable)returnObj;
096
097 returnObj = new SystemException(throwable.getMessage());
098 }
099 else {
100 returnObj = new SystemException();
101 }
102 }
103 }
104 catch (Exception e) {
105 _log.error(e, e);
106 }
107 finally {
108 AccessControlThreadLocal.setRemoteAccess(remoteAccess);
109 }
110
111 if (returnObj != null) {
112 try (ObjectOutputStream oos = new ObjectOutputStream(
113 response.getOutputStream())) {
114
115 oos.writeObject(returnObj);
116 }
117 catch (IOException ioe) {
118 _log.error(ioe, ioe);
119
120 throw ioe;
121 }
122 }
123 }
124
125 @Override
126 protected void doGet(
127 HttpServletRequest request, HttpServletResponse response)
128 throws IOException, ServletException {
129
130 PortalUtil.sendError(
131 HttpServletResponse.SC_NOT_FOUND,
132 new IllegalArgumentException("The GET method is not supported"),
133 request, response);
134 }
135
136 protected boolean isValidRequest(Class<?> clazz) {
137 String className = clazz.getName();
138
139 if (className.contains(".service.") &&
140 className.endsWith("ServiceUtil") &&
141 !className.endsWith("LocalServiceUtil")) {
142
143 return true;
144 }
145 else {
146 return false;
147 }
148 }
149
150 private static final Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
151
152 }