001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.action;
016    
017    import com.liferay.portal.exception.NoSuchUserException;
018    import com.liferay.portal.exception.UserLockoutException;
019    import com.liferay.portal.exception.UserPasswordException;
020    import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
021    import com.liferay.portal.kernel.servlet.SessionErrors;
022    import com.liferay.portal.kernel.util.Constants;
023    import com.liferay.portal.kernel.util.ParamUtil;
024    import com.liferay.portal.kernel.util.Validator;
025    import com.liferay.portal.kernel.util.WebKeys;
026    import com.liferay.portal.model.Company;
027    import com.liferay.portal.model.CompanyConstants;
028    import com.liferay.portal.model.Ticket;
029    import com.liferay.portal.model.TicketConstants;
030    import com.liferay.portal.model.User;
031    import com.liferay.portal.security.auth.AuthTokenUtil;
032    import com.liferay.portal.security.auth.PrincipalException;
033    import com.liferay.portal.security.pwd.PwdToolkitUtilThreadLocal;
034    import com.liferay.portal.service.CompanyLocalServiceUtil;
035    import com.liferay.portal.service.TicketLocalServiceUtil;
036    import com.liferay.portal.service.UserLocalServiceUtil;
037    import com.liferay.portal.theme.ThemeDisplay;
038    import com.liferay.portal.util.PortalUtil;
039    import com.liferay.portal.util.PropsValues;
040    
041    import javax.servlet.http.HttpServletRequest;
042    import javax.servlet.http.HttpServletResponse;
043    import javax.servlet.http.HttpSession;
044    
045    import org.apache.struts.action.Action;
046    import org.apache.struts.action.ActionForm;
047    import org.apache.struts.action.ActionForward;
048    import org.apache.struts.action.ActionMapping;
049    
050    /**
051     * @author Brian Wing Shun Chan
052     * @author Mika Koivisto
053     */
054    public class UpdatePasswordAction extends Action {
055    
056            @Override
057            public ActionForward execute(
058                            ActionMapping actionMapping, ActionForm actionForm,
059                            HttpServletRequest request, HttpServletResponse response)
060                    throws Exception {
061    
062                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
063                            WebKeys.THEME_DISPLAY);
064    
065                    Ticket ticket = getTicket(request);
066    
067                    request.setAttribute(WebKeys.TICKET, ticket);
068    
069                    String cmd = ParamUtil.getString(request, Constants.CMD);
070    
071                    if (Validator.isNull(cmd)) {
072                            if (ticket != null) {
073                                    User user = UserLocalServiceUtil.getUser(ticket.getClassPK());
074    
075                                    try {
076                                            UserLocalServiceUtil.checkLockout(user);
077    
078                                            UserLocalServiceUtil.updatePasswordReset(
079                                                    user.getUserId(), true);
080                                    }
081                                    catch (UserLockoutException ule) {
082                                            SessionErrors.add(request, ule.getClass(), ule);
083                                    }
084                            }
085    
086                            return actionMapping.findForward("portal.update_password");
087                    }
088    
089                    try {
090                            updatePassword(request, response, themeDisplay, ticket);
091    
092                            String redirect = ParamUtil.getString(request, WebKeys.REFERER);
093    
094                            if (Validator.isNotNull(redirect)) {
095                                    redirect = PortalUtil.escapeRedirect(redirect);
096                            }
097    
098                            if (Validator.isNull(redirect)) {
099                                    redirect = themeDisplay.getPathMain();
100                            }
101    
102                            response.sendRedirect(redirect);
103    
104                            return null;
105                    }
106                    catch (Exception e) {
107                            if (e instanceof UserPasswordException) {
108                                    SessionErrors.add(request, e.getClass(), e);
109    
110                                    return actionMapping.findForward("portal.update_password");
111                            }
112                            else if (e instanceof NoSuchUserException ||
113                                             e instanceof PrincipalException) {
114    
115                                    SessionErrors.add(request, e.getClass());
116    
117                                    return actionMapping.findForward("portal.error");
118                            }
119    
120                            PortalUtil.sendError(e, request, response);
121    
122                            return null;
123                    }
124            }
125    
126            protected Ticket getTicket(HttpServletRequest request) {
127                    String ticketKey = ParamUtil.getString(request, "ticketKey");
128    
129                    if (Validator.isNull(ticketKey)) {
130                            return null;
131                    }
132    
133                    try {
134                            Ticket ticket = TicketLocalServiceUtil.fetchTicket(ticketKey);
135    
136                            if ((ticket == null) ||
137                                    (ticket.getType() != TicketConstants.TYPE_PASSWORD)) {
138    
139                                    return null;
140                            }
141    
142                            if (!ticket.isExpired()) {
143                                    return ticket;
144                            }
145    
146                            TicketLocalServiceUtil.deleteTicket(ticket);
147                    }
148                    catch (Exception e) {
149                    }
150    
151                    return null;
152            }
153    
154            protected boolean isValidatePassword(HttpServletRequest request) {
155                    HttpSession session = request.getSession();
156    
157                    Boolean setupWizardPasswordUpdated = (Boolean)session.getAttribute(
158                            WebKeys.SETUP_WIZARD_PASSWORD_UPDATED);
159    
160                    if ((setupWizardPasswordUpdated != null) &&
161                            setupWizardPasswordUpdated) {
162    
163                            return false;
164                    }
165    
166                    return true;
167            }
168    
169            protected void updatePassword(
170                            HttpServletRequest request, HttpServletResponse response,
171                            ThemeDisplay themeDisplay, Ticket ticket)
172                    throws Exception {
173    
174                    AuthTokenUtil.checkCSRFToken(
175                            request, UpdatePasswordAction.class.getName());
176    
177                    long userId = 0;
178    
179                    if (ticket != null) {
180                            userId = ticket.getClassPK();
181                    }
182                    else {
183                            userId = themeDisplay.getUserId();
184                    }
185    
186                    String password1 = request.getParameter("password1");
187                    String password2 = request.getParameter("password2");
188                    boolean passwordReset = false;
189    
190                    boolean previousValidate = PwdToolkitUtilThreadLocal.isValidate();
191    
192                    try {
193                            boolean currentValidate = isValidatePassword(request);
194    
195                            PwdToolkitUtilThreadLocal.setValidate(currentValidate);
196    
197                            UserLocalServiceUtil.updatePassword(
198                                    userId, password1, password2, passwordReset);
199                    }
200                    finally {
201                            PwdToolkitUtilThreadLocal.setValidate(previousValidate);
202                    }
203    
204                    if (ticket != null) {
205                            TicketLocalServiceUtil.deleteTicket(ticket);
206    
207                            User user = UserLocalServiceUtil.getUser(userId);
208    
209                            Company company = CompanyLocalServiceUtil.getCompanyById(
210                                    user.getCompanyId());
211    
212                            String login = null;
213    
214                            String authType = company.getAuthType();
215    
216                            if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
217                                    login = user.getEmailAddress();
218                            }
219                            else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
220                                    login = user.getScreenName();
221                            }
222                            else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
223                                    login = String.valueOf(userId);
224                            }
225    
226                            AuthenticatedSessionManagerUtil.login(
227                                    request, response, login, password1, false, null);
228    
229                            UserLocalServiceUtil.updatePasswordReset(userId, false);
230                    }
231                    else if (PropsValues.SESSION_STORE_PASSWORD) {
232                            HttpSession session = request.getSession();
233    
234                            session.setAttribute(WebKeys.USER_PASSWORD, password1);
235                    }
236            }
237    
238    }