001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.security.access.control.AccessControlThreadLocal;
022    import com.liferay.portal.kernel.util.MethodHandler;
023    import com.liferay.portal.kernel.util.MethodKey;
024    import com.liferay.portal.kernel.util.ObjectValuePair;
025    import com.liferay.portal.kernel.util.ProtectedClassLoaderObjectInputStream;
026    import com.liferay.portal.security.auth.HttpPrincipal;
027    import com.liferay.portal.util.PortalUtil;
028    
029    import java.io.IOException;
030    import java.io.ObjectInputStream;
031    import java.io.ObjectOutputStream;
032    
033    import java.lang.reflect.InvocationTargetException;
034    
035    import javax.servlet.ServletException;
036    import javax.servlet.http.HttpServlet;
037    import javax.servlet.http.HttpServletRequest;
038    import javax.servlet.http.HttpServletResponse;
039    
040    /**
041     * @author Michael Weisser
042     * @author Brian Wing Shun Chan
043     */
044    public class TunnelServlet extends HttpServlet {
045    
046            @Override
047            public void doPost(HttpServletRequest request, HttpServletResponse response)
048                    throws IOException {
049    
050                    ObjectInputStream ois = null;
051    
052                    Thread thread = Thread.currentThread();
053    
054                    try {
055                            ois = new ProtectedClassLoaderObjectInputStream(
056                                    request.getInputStream(), thread.getContextClassLoader());
057                    }
058                    catch (IOException ioe) {
059                            if (_log.isWarnEnabled()) {
060                                    _log.warn(ioe, ioe);
061                            }
062    
063                            return;
064                    }
065    
066                    Object returnObj = null;
067    
068                    boolean remoteAccess = AccessControlThreadLocal.isRemoteAccess();
069    
070                    try {
071                            AccessControlThreadLocal.setRemoteAccess(true);
072    
073                            ObjectValuePair<HttpPrincipal, MethodHandler> ovp =
074                                    (ObjectValuePair<HttpPrincipal, MethodHandler>)ois.readObject();
075    
076                            MethodHandler methodHandler = ovp.getValue();
077    
078                            if (methodHandler != null) {
079                                    MethodKey methodKey = methodHandler.getMethodKey();
080    
081                                    if (!isValidRequest(methodKey.getDeclaringClass())) {
082                                            return;
083                                    }
084    
085                                    returnObj = methodHandler.invoke();
086                            }
087                    }
088                    catch (InvocationTargetException ite) {
089                            returnObj = ite.getCause();
090    
091                            if (!(returnObj instanceof PortalException)) {
092                                    _log.error(ite, ite);
093    
094                                    if (returnObj != null) {
095                                            Throwable throwable = (Throwable)returnObj;
096    
097                                            returnObj = new SystemException(throwable.getMessage());
098                                    }
099                                    else {
100                                            returnObj = new SystemException();
101                                    }
102                            }
103                    }
104                    catch (Exception e) {
105                            _log.error(e, e);
106                    }
107                    finally {
108                            AccessControlThreadLocal.setRemoteAccess(remoteAccess);
109                    }
110    
111                    if (returnObj != null) {
112                            try (ObjectOutputStream oos = new ObjectOutputStream(
113                                            response.getOutputStream())) {
114    
115                                    oos.writeObject(returnObj);
116                            }
117                            catch (IOException ioe) {
118                                    _log.error(ioe, ioe);
119    
120                                    throw ioe;
121                            }
122                    }
123            }
124    
125            @Override
126            protected void doGet(
127                            HttpServletRequest request, HttpServletResponse response)
128                    throws IOException, ServletException {
129    
130                    PortalUtil.sendError(
131                            HttpServletResponse.SC_NOT_FOUND,
132                            new IllegalArgumentException("The GET method is not supported"),
133                            request, response);
134            }
135    
136            protected boolean isValidRequest(Class<?> clazz) {
137                    String className = clazz.getName();
138    
139                    if (className.contains(".service.") &&
140                            className.endsWith("ServiceUtil") &&
141                            !className.endsWith("LocalServiceUtil")) {
142    
143                            return true;
144                    }
145                    else {
146                            return false;
147                    }
148            }
149    
150            private static final Log _log = LogFactoryUtil.getLog(TunnelServlet.class);
151    
152    }