001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.struts;
016    
017    import com.liferay.portal.exception.LayoutPermissionException;
018    import com.liferay.portal.exception.PortletActiveException;
019    import com.liferay.portal.exception.UserActiveException;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.portlet.FriendlyURLMapper;
023    import com.liferay.portal.kernel.servlet.DynamicServletRequest;
024    import com.liferay.portal.kernel.servlet.HttpMethods;
025    import com.liferay.portal.kernel.servlet.SessionErrors;
026    import com.liferay.portal.kernel.struts.LastPath;
027    import com.liferay.portal.kernel.util.CharPool;
028    import com.liferay.portal.kernel.util.GetterUtil;
029    import com.liferay.portal.kernel.util.HttpUtil;
030    import com.liferay.portal.kernel.util.JavaConstants;
031    import com.liferay.portal.kernel.util.ParamUtil;
032    import com.liferay.portal.kernel.util.PropsKeys;
033    import com.liferay.portal.kernel.util.StringBundler;
034    import com.liferay.portal.kernel.util.StringPool;
035    import com.liferay.portal.kernel.util.StringUtil;
036    import com.liferay.portal.kernel.util.Validator;
037    import com.liferay.portal.kernel.util.WebKeys;
038    import com.liferay.portal.liveusers.LiveUsers;
039    import com.liferay.portal.model.Layout;
040    import com.liferay.portal.model.LayoutConstants;
041    import com.liferay.portal.model.PasswordPolicy;
042    import com.liferay.portal.model.Portlet;
043    import com.liferay.portal.model.PortletPreferencesIds;
044    import com.liferay.portal.model.User;
045    import com.liferay.portal.model.UserTracker;
046    import com.liferay.portal.model.UserTrackerPath;
047    import com.liferay.portal.security.auth.InterruptedPortletRequestWhitelistUtil;
048    import com.liferay.portal.security.auth.PrincipalException;
049    import com.liferay.portal.security.permission.ActionKeys;
050    import com.liferay.portal.security.permission.PermissionChecker;
051    import com.liferay.portal.service.LayoutLocalServiceUtil;
052    import com.liferay.portal.service.PortletLocalServiceUtil;
053    import com.liferay.portal.service.PortletPreferencesLocalServiceUtil;
054    import com.liferay.portal.service.permission.PortletPermissionUtil;
055    import com.liferay.portal.service.persistence.UserTrackerPathUtil;
056    import com.liferay.portal.theme.ThemeDisplay;
057    import com.liferay.portal.util.PortalUtil;
058    import com.liferay.portal.util.PropsUtil;
059    import com.liferay.portal.util.PropsValues;
060    import com.liferay.portlet.InvokerPortlet;
061    import com.liferay.portlet.PortletConfigFactoryUtil;
062    import com.liferay.portlet.PortletInstanceFactoryUtil;
063    import com.liferay.portlet.PortletPreferencesFactoryUtil;
064    import com.liferay.portlet.PortletURLImpl;
065    import com.liferay.portlet.RenderRequestFactory;
066    import com.liferay.portlet.RenderRequestImpl;
067    import com.liferay.portlet.RenderResponseFactory;
068    import com.liferay.portlet.RenderResponseImpl;
069    
070    import java.io.IOException;
071    
072    import java.util.Date;
073    import java.util.HashSet;
074    import java.util.LinkedHashMap;
075    import java.util.Map;
076    import java.util.Set;
077    import java.util.regex.Matcher;
078    import java.util.regex.Pattern;
079    
080    import javax.portlet.PortletConfig;
081    import javax.portlet.PortletContext;
082    import javax.portlet.PortletMode;
083    import javax.portlet.PortletPreferences;
084    import javax.portlet.PortletRequest;
085    import javax.portlet.WindowState;
086    
087    import javax.servlet.ServletContext;
088    import javax.servlet.ServletException;
089    import javax.servlet.http.HttpServletRequest;
090    import javax.servlet.http.HttpServletResponse;
091    import javax.servlet.http.HttpSession;
092    import javax.servlet.jsp.PageContext;
093    
094    import org.apache.struts.Globals;
095    import org.apache.struts.action.Action;
096    import org.apache.struts.action.ActionForm;
097    import org.apache.struts.action.ActionMapping;
098    import org.apache.struts.config.ActionConfig;
099    import org.apache.struts.config.ForwardConfig;
100    import org.apache.struts.tiles.TilesRequestProcessor;
101    import org.apache.struts.util.MessageResources;
102    
103    /**
104     * @author Brian Wing Shun Chan
105     * @author Jorge Ferrer
106     * @author Wesley Gong
107     * @author Mika Koivisto
108     */
109    public class PortalRequestProcessor extends TilesRequestProcessor {
110    
111            public PortalRequestProcessor() {
112    
113                    // auth.forward.last.path.
114    
115                    _lastPaths = new HashSet<>();
116    
117                    _lastPaths.add(_PATH_PORTAL_LAYOUT);
118    
119                    addPaths(_lastPaths, PropsKeys.AUTH_FORWARD_LAST_PATHS);
120    
121                    // auth.public.path.
122    
123                    _publicPaths = new HashSet<>();
124    
125                    _publicPaths.add(_PATH_C);
126                    _publicPaths.add(_PATH_PORTAL_API_JSONWS);
127                    _publicPaths.add(_PATH_PORTAL_FLASH);
128                    _publicPaths.add(_PATH_PORTAL_J_LOGIN);
129                    _publicPaths.add(_PATH_PORTAL_LAYOUT);
130                    _publicPaths.add(_PATH_PORTAL_LICENSE);
131                    _publicPaths.add(_PATH_PORTAL_LOGIN);
132                    _publicPaths.add(_PATH_PORTAL_RENDER_PORTLET);
133                    _publicPaths.add(_PATH_PORTAL_RESILIENCY);
134                    _publicPaths.add(_PATH_PORTAL_TCK);
135                    _publicPaths.add(_PATH_PORTAL_UPDATE_LANGUAGE);
136                    _publicPaths.add(_PATH_PORTAL_UPDATE_PASSWORD);
137                    _publicPaths.add(_PATH_PORTAL_VERIFY_EMAIL_ADDRESS);
138                    _publicPaths.add(PropsValues.AUTH_LOGIN_DISABLED_PATH);
139    
140                    _trackerIgnorePaths = new HashSet<>();
141    
142                    addPaths(_trackerIgnorePaths, PropsKeys.SESSION_TRACKER_IGNORE_PATHS);
143            }
144    
145            @Override
146            public void process(
147                            HttpServletRequest request, HttpServletResponse response)
148                    throws IOException, ServletException {
149    
150                    String path = super.processPath(request, response);
151    
152                    ActionMapping actionMapping =
153                            (ActionMapping)moduleConfig.findActionConfig(path);
154    
155                    Action action = StrutsActionRegistryUtil.getAction(path);
156    
157                    if ((actionMapping == null) && (action == null)) {
158                            String lastPath = getLastPath(request);
159    
160                            if (_log.isDebugEnabled()) {
161                                    _log.debug("Last path " + lastPath);
162                            }
163    
164                            response.sendRedirect(lastPath);
165    
166                            return;
167                    }
168    
169                    super.process(request, response);
170    
171                    try {
172                            if (isPortletPath(path)) {
173                                    cleanUp(request);
174                            }
175                    }
176                    catch (Exception e) {
177                            _log.error(e, e);
178                    }
179            }
180    
181            protected void addPaths(Set<String> paths, String propsKey) {
182                    String[] pathsArray = PropsUtil.getArray(propsKey);
183    
184                    for (String path : pathsArray) {
185                            paths.add(path);
186                    }
187            }
188    
189            protected void callParentDoForward(
190                            String uri, HttpServletRequest request,
191                            HttpServletResponse response)
192                    throws IOException, ServletException {
193    
194                    super.doForward(uri, request, response);
195            }
196    
197            protected HttpServletRequest callParentProcessMultipart(
198                    HttpServletRequest request) {
199    
200                    return super.processMultipart(request);
201            }
202    
203            protected String callParentProcessPath(
204                            HttpServletRequest request, HttpServletResponse response)
205                    throws IOException {
206    
207                    return super.processPath(request, response);
208            }
209    
210            protected boolean callParentProcessRoles(
211                            HttpServletRequest request, HttpServletResponse response,
212                            ActionMapping actionMapping)
213                    throws IOException, ServletException {
214    
215                    return super.processRoles(request, response, actionMapping);
216            }
217    
218            protected void cleanUp(HttpServletRequest request) throws Exception {
219    
220                    // Clean up portlet objects that may have been created by defineObjects
221                    // for portlets that are called directly from a Struts path
222    
223                    RenderRequestImpl renderRequestImpl =
224                            (RenderRequestImpl)request.getAttribute(
225                                    JavaConstants.JAVAX_PORTLET_REQUEST);
226    
227                    if (renderRequestImpl != null) {
228                            renderRequestImpl.cleanUp();
229                    }
230            }
231    
232            protected void defineObjects(
233                            HttpServletRequest request, HttpServletResponse response,
234                            Portlet portlet)
235                    throws Exception {
236    
237                    String portletId = portlet.getPortletId();
238    
239                    ServletContext servletContext = (ServletContext)request.getAttribute(
240                            WebKeys.CTX);
241    
242                    InvokerPortlet invokerPortlet = PortletInstanceFactoryUtil.create(
243                            portlet, servletContext);
244    
245                    PortletPreferencesIds portletPreferencesIds =
246                            PortletPreferencesFactoryUtil.getPortletPreferencesIds(
247                                    request, portletId);
248    
249                    PortletPreferences portletPreferences =
250                            PortletPreferencesLocalServiceUtil.getStrictPreferences(
251                                    portletPreferencesIds);
252    
253                    PortletConfig portletConfig = PortletConfigFactoryUtil.create(
254                            portlet, servletContext);
255                    PortletContext portletContext = portletConfig.getPortletContext();
256    
257                    RenderRequestImpl renderRequestImpl = RenderRequestFactory.create(
258                            request, portlet, invokerPortlet, portletContext,
259                            WindowState.MAXIMIZED, PortletMode.VIEW, portletPreferences);
260    
261                    RenderResponseImpl renderResponseImpl = RenderResponseFactory.create(
262                            renderRequestImpl, response, portletId, portlet.getCompanyId());
263    
264                    renderRequestImpl.defineObjects(portletConfig, renderResponseImpl);
265    
266                    request.setAttribute(WebKeys.PORTLET_STRUTS_EXECUTE, Boolean.TRUE);
267            }
268    
269            @Override
270            protected void doForward(
271                            String uri, HttpServletRequest request,
272                            HttpServletResponse response)
273                    throws ServletException {
274    
275                    StrutsUtil.forward(uri, getServletContext(), request, response);
276            }
277    
278            @Override
279            protected void doInclude(
280                            String uri, HttpServletRequest request,
281                            HttpServletResponse response)
282                    throws ServletException {
283    
284                    StrutsUtil.include(uri, getServletContext(), request, response);
285            }
286    
287            protected String getFriendlyTrackerPath(
288                            String path, ThemeDisplay themeDisplay, HttpServletRequest request)
289                    throws Exception {
290    
291                    if (!path.equals(_PATH_PORTAL_LAYOUT)) {
292                            return null;
293                    }
294    
295                    long plid = ParamUtil.getLong(request, "p_l_id");
296    
297                    if (plid == 0) {
298                            return null;
299                    }
300    
301                    Layout layout = LayoutLocalServiceUtil.getLayout(plid);
302    
303                    String layoutFriendlyURL = PortalUtil.getLayoutFriendlyURL(
304                            layout, themeDisplay);
305    
306                    String portletId = ParamUtil.getString(request, "p_p_id");
307    
308                    if (Validator.isNull(portletId)) {
309                            return layoutFriendlyURL;
310                    }
311    
312                    long companyId = PortalUtil.getCompanyId(request);
313    
314                    Portlet portlet = PortletLocalServiceUtil.getPortletById(
315                            companyId, portletId);
316    
317                    if (portlet == null) {
318                            String strutsPath = path.substring(
319                                    1, path.lastIndexOf(CharPool.SLASH));
320    
321                            portlet = PortletLocalServiceUtil.getPortletByStrutsPath(
322                                    companyId, strutsPath);
323                    }
324    
325                    if ((portlet == null) || !portlet.isActive()) {
326                            return layoutFriendlyURL.concat(StringPool.QUESTION).concat(
327                                    request.getQueryString());
328                    }
329    
330                    String namespace = PortalUtil.getPortletNamespace(portletId);
331    
332                    FriendlyURLMapper friendlyURLMapper =
333                            portlet.getFriendlyURLMapperInstance();
334    
335                    if (friendlyURLMapper == null) {
336                            return layoutFriendlyURL.concat(StringPool.QUESTION).concat(
337                                    request.getQueryString());
338                    }
339    
340                    PortletURLImpl portletURL = new PortletURLImpl(
341                            request, portletId, plid, PortletRequest.RENDER_PHASE);
342    
343                    Map<String, String[]> parameterMap = request.getParameterMap();
344    
345                    for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
346                            String key = entry.getKey();
347    
348                            if (key.startsWith(namespace)) {
349                                    key = key.substring(namespace.length());
350    
351                                    portletURL.setParameter(key, entry.getValue());
352                            }
353                    }
354    
355                    String portletFriendlyURL = friendlyURLMapper.buildPath(portletURL);
356    
357                    if (portletFriendlyURL != null) {
358                            return layoutFriendlyURL.concat(portletFriendlyURL);
359                    }
360                    else {
361                            return layoutFriendlyURL.concat(StringPool.QUESTION).concat(
362                                    request.getQueryString());
363                    }
364            }
365    
366            protected String getLastPath(HttpServletRequest request) {
367                    HttpSession session = request.getSession();
368    
369                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
370                            WebKeys.THEME_DISPLAY);
371    
372                    Boolean httpsInitial = (Boolean)session.getAttribute(
373                            WebKeys.HTTPS_INITIAL);
374    
375                    String portalURL = null;
376    
377                    if (PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS &&
378                            !PropsValues.SESSION_ENABLE_PHISHING_PROTECTION &&
379                            (httpsInitial != null) && !httpsInitial.booleanValue()) {
380    
381                            portalURL = PortalUtil.getPortalURL(request, false);
382                    }
383                    else {
384                            portalURL = PortalUtil.getPortalURL(request);
385                    }
386    
387                    StringBundler sb = new StringBundler(7);
388    
389                    sb.append(portalURL);
390                    sb.append(themeDisplay.getPathMain());
391                    sb.append(_PATH_PORTAL_LAYOUT);
392    
393                    if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
394                            if (request.getRemoteUser() != null) {
395    
396                                    // If we do not forward by last path and the user is logged in,
397                                    // forward to the user's default layout to prevent a lagging
398                                    // loop
399    
400                                    sb.append(StringPool.QUESTION);
401                                    sb.append("p_l_id");
402                                    sb.append(StringPool.EQUAL);
403                                    sb.append(LayoutConstants.DEFAULT_PLID);
404                            }
405    
406                            return sb.toString();
407                    }
408    
409                    LastPath lastPath = (LastPath)session.getAttribute(WebKeys.LAST_PATH);
410    
411                    if (lastPath == null) {
412                            return sb.toString();
413                    }
414    
415                    String parameters = lastPath.getParameters();
416    
417                    // Only test for existing mappings for last paths that were set when the
418                    // user accessed a layout directly instead of through its friendly URL
419    
420                    if (lastPath.getContextPath().equals(themeDisplay.getPathMain())) {
421                            ActionMapping actionMapping =
422                                    (ActionMapping)moduleConfig.findActionConfig(
423                                            lastPath.getPath());
424    
425                            if ((actionMapping == null) || parameters.isEmpty()) {
426                                    return sb.toString();
427                            }
428                    }
429    
430                    StringBundler lastPathSB = new StringBundler(4);
431    
432                    lastPathSB.append(portalURL);
433                    lastPathSB.append(lastPath.getContextPath());
434                    lastPathSB.append(lastPath.getPath());
435                    lastPathSB.append(parameters);
436    
437                    return lastPathSB.toString();
438            }
439    
440            protected boolean isPortletPath(String path) {
441                    if ((path != null) && !path.equals(_PATH_C) &&
442                            !path.startsWith(_PATH_COMMON) &&
443                            !path.contains(_PATH_J_SECURITY_CHECK) &&
444                            !path.startsWith(_PATH_PORTAL)) {
445    
446                            return true;
447                    }
448                    else {
449                            return false;
450                    }
451            }
452    
453            protected boolean isPublicPath(String path) {
454                    if ((path != null) &&
455                            (_publicPaths.contains(path) || path.startsWith(_PATH_COMMON) ||
456                             AuthPublicPathRegistry.contains(path))) {
457    
458                            return true;
459                    }
460                    else {
461                            return false;
462                    }
463            }
464    
465            @Override
466            protected Action processActionCreate(
467                            HttpServletRequest request, HttpServletResponse response,
468                            ActionMapping actionMapping)
469                    throws IOException {
470    
471                    ActionAdapter actionAdapter =
472                            (ActionAdapter)StrutsActionRegistryUtil.getAction(
473                                    actionMapping.getPath());
474    
475                    if (actionAdapter != null) {
476                            ActionConfig actionConfig = moduleConfig.findActionConfig(
477                                    actionMapping.getPath());
478    
479                            if (actionConfig != null) {
480                                    Action originalAction = super.processActionCreate(
481                                            request, response, actionMapping);
482    
483                                    actionAdapter.setOriginalAction(originalAction);
484                            }
485    
486                            return actionAdapter;
487                    }
488    
489                    return super.processActionCreate(request, response, actionMapping);
490            }
491    
492            @Override
493            protected ActionMapping processMapping(
494                            HttpServletRequest request, HttpServletResponse response,
495                            String path)
496                    throws IOException {
497    
498                    if (path == null) {
499                            return null;
500                    }
501    
502                    Action action = StrutsActionRegistryUtil.getAction(path);
503    
504                    if (action != null) {
505                            ActionMapping actionMapping =
506                                    (ActionMapping)moduleConfig.findActionConfig(path);
507    
508                            if (actionMapping == null) {
509                                    actionMapping = new ActionMapping();
510    
511                                    actionMapping.setModuleConfig(moduleConfig);
512                                    actionMapping.setPath(path);
513    
514                                    request.setAttribute(Globals.MAPPING_KEY, actionMapping);
515                            }
516    
517                            return actionMapping;
518                    }
519    
520                    ActionMapping actionMapping = super.processMapping(
521                            request, response, path);
522    
523                    if (actionMapping == null) {
524                            MessageResources messageResources = getInternal();
525    
526                            String msg = messageResources.getMessage("processInvalid");
527    
528                            _log.error("User ID " + request.getRemoteUser());
529                            _log.error("Current URL " + PortalUtil.getCurrentURL(request));
530                            _log.error("Referer " + request.getHeader("Referer"));
531                            _log.error("Remote address " + request.getRemoteAddr());
532    
533                            _log.error(msg + " " + path);
534                    }
535    
536                    return actionMapping;
537            }
538    
539            @Override
540            protected HttpServletRequest processMultipart(HttpServletRequest request) {
541    
542                    // Disable Struts from automatically wrapping a multipart request
543    
544                    return request;
545            }
546    
547            @Override
548            protected String processPath(
549                            HttpServletRequest request, HttpServletResponse response)
550                    throws IOException {
551    
552                    String path = GetterUtil.getString(
553                            super.processPath(request, response));
554    
555                    HttpSession session = request.getSession();
556    
557                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
558                            WebKeys.THEME_DISPLAY);
559    
560                    // Current users
561    
562                    UserTracker userTracker = LiveUsers.getUserTracker(
563                            themeDisplay.getCompanyId(), session.getId());
564    
565                    if ((userTracker != null) && !path.equals(_PATH_C) &&
566                            !path.contains(_PATH_J_SECURITY_CHECK) &&
567                            !path.contains(_PATH_PORTAL_PROTECTED) &&
568                            !_trackerIgnorePaths.contains(path)) {
569    
570                            String fullPath = null;
571    
572                            try {
573                                    if (PropsValues.SESSION_TRACKER_FRIENDLY_PATHS_ENABLED) {
574                                            fullPath = getFriendlyTrackerPath(
575                                                    path, themeDisplay, request);
576                                    }
577                            }
578                            catch (Exception e) {
579                                    _log.error(e, e);
580                            }
581    
582                            String fullPathWithoutQueryString = fullPath;
583    
584                            if (Validator.isNull(fullPath)) {
585                                    String queryString = request.getQueryString();
586    
587                                    fullPathWithoutQueryString = path;
588    
589                                    if (Validator.isNotNull(queryString)) {
590                                            fullPath = path.concat(StringPool.QUESTION).concat(
591                                                    queryString);
592                                    }
593                                    else {
594                                            fullPath = path;
595                                    }
596                            }
597    
598                            int pos = fullPathWithoutQueryString.indexOf(StringPool.QUESTION);
599    
600                            if (pos != -1) {
601                                    fullPathWithoutQueryString =
602                                            fullPathWithoutQueryString.substring(0, pos);
603                            }
604    
605                            if (!_trackerIgnorePaths.contains(fullPathWithoutQueryString)) {
606                                    UserTrackerPath userTrackerPath = UserTrackerPathUtil.create(0);
607    
608                                    userTrackerPath.setUserTrackerId(
609                                            userTracker.getUserTrackerId());
610                                    userTrackerPath.setPath(fullPath);
611                                    userTrackerPath.setPathDate(new Date());
612    
613                                    userTracker.addPath(userTrackerPath);
614                            }
615                    }
616    
617                    String remoteUser = request.getRemoteUser();
618    
619                    User user = null;
620    
621                    try {
622                            user = PortalUtil.getUser(request);
623                    }
624                    catch (Exception e) {
625                    }
626    
627                    // Last path
628    
629                    if (_lastPaths.contains(path) && !_trackerIgnorePaths.contains(path)) {
630                            boolean saveLastPath = ParamUtil.getBoolean(
631                                    request, "saveLastPath", true);
632    
633                            if (themeDisplay.isLifecycleResource() ||
634                                    themeDisplay.isStateExclusive() ||
635                                    themeDisplay.isStatePopUp() ||
636                                    !StringUtil.equalsIgnoreCase(
637                                            request.getMethod(), HttpMethods.GET)) {
638    
639                                    saveLastPath = false;
640                            }
641    
642                            // Save last path
643    
644                            if (saveLastPath) {
645    
646                                    // Was a last path set by another servlet that dispatched to the
647                                    // MainServlet? If so, use that last path instead.
648    
649                                    LastPath lastPath = (LastPath)request.getAttribute(
650                                            WebKeys.LAST_PATH);
651    
652                                    if (lastPath == null) {
653                                            lastPath = new LastPath(
654                                                    themeDisplay.getPathMain(), path,
655                                                    HttpUtil.parameterMapToString(
656                                                            request.getParameterMap()));
657                                    }
658    
659                                    session.setAttribute(WebKeys.LAST_PATH, lastPath);
660                            }
661                    }
662    
663                    // Setup wizard
664    
665                    if (PropsValues.SETUP_WIZARD_ENABLED) {
666                            if (!path.equals(_PATH_PORTAL_LICENSE) &&
667                                    !path.equals(_PATH_PORTAL_STATUS)) {
668    
669                                    return _PATH_PORTAL_SETUP_WIZARD;
670                            }
671                    }
672                    else if (path.equals(_PATH_PORTAL_SETUP_WIZARD)) {
673                            return _PATH_PORTAL_LAYOUT;
674                    }
675    
676                    // Authenticated users can always log out
677    
678                    if (((remoteUser != null) || (user != null)) &&
679                            path.equals(_PATH_PORTAL_LOGOUT)) {
680    
681                            return path;
682                    }
683    
684                    // Authenticated users can always extend or confirm their session
685    
686                    if (((remoteUser != null) || (user != null)) &&
687                            (path.equals(_PATH_PORTAL_EXPIRE_SESSION) ||
688                             path.equals(_PATH_PORTAL_EXTEND_SESSION))) {
689    
690                            return path;
691                    }
692    
693                    // Authenticated users can always agree to terms of use
694    
695                    if (((remoteUser != null) || (user != null)) &&
696                            path.equals(_PATH_PORTAL_UPDATE_TERMS_OF_USE)) {
697    
698                            return path;
699                    }
700    
701                    // Authenticated users must still exist in the system
702    
703                    if ((remoteUser != null) && (user == null)) {
704                            return _PATH_PORTAL_LOGOUT;
705                    }
706    
707                    // Authenticated users must be active
708    
709                    if ((user != null) && !user.isActive()) {
710                            SessionErrors.add(request, UserActiveException.class.getName());
711    
712                            return _PATH_PORTAL_ERROR;
713                    }
714    
715                    long companyId = PortalUtil.getCompanyId(request);
716                    String portletId = ParamUtil.getString(request, "p_p_id");
717    
718                    if (!path.equals(_PATH_PORTAL_JSON_SERVICE) &&
719                            !path.equals(_PATH_PORTAL_RENDER_PORTLET) &&
720                            !ParamUtil.getBoolean(request, "wsrp") &&
721                            !themeDisplay.isImpersonated() &&
722                            !InterruptedPortletRequestWhitelistUtil.
723                                    isPortletInvocationWhitelisted(
724                                            companyId, portletId,
725                                            PortalUtil.getStrutsAction(request))) {
726    
727                            // Authenticated users should agree to Terms of Use
728    
729                            if ((user != null) && !user.isTermsOfUseComplete()) {
730                                    return _PATH_PORTAL_TERMS_OF_USE;
731                            }
732    
733                            // Authenticated users should have a verified email address
734    
735                            if ((user != null) && !user.isEmailAddressVerificationComplete()) {
736                                    if (path.equals(_PATH_PORTAL_UPDATE_EMAIL_ADDRESS)) {
737                                            return _PATH_PORTAL_UPDATE_EMAIL_ADDRESS;
738                                    }
739    
740                                    return _PATH_PORTAL_VERIFY_EMAIL_ADDRESS;
741                            }
742    
743                            // Authenticated users must have a current password
744    
745                            if ((user != null) && user.isPasswordReset()) {
746                                    try {
747                                            PasswordPolicy passwordPolicy = user.getPasswordPolicy();
748    
749                                            if ((passwordPolicy == null) ||
750                                                    passwordPolicy.isChangeRequired()) {
751    
752                                                    return _PATH_PORTAL_UPDATE_PASSWORD;
753                                            }
754                                    }
755                                    catch (Exception e) {
756                                            _log.error(e, e);
757    
758                                            return _PATH_PORTAL_UPDATE_PASSWORD;
759                                    }
760                            }
761                            else if ((user != null) && !user.isPasswordReset() &&
762                                             path.equals(_PATH_PORTAL_UPDATE_PASSWORD)) {
763    
764                                    return null;
765                            }
766    
767                            // Authenticated users must have an email address
768    
769                            if ((user != null) && !user.isEmailAddressComplete()) {
770                                    return _PATH_PORTAL_UPDATE_EMAIL_ADDRESS;
771                            }
772    
773                            // Authenticated users should have a reminder query
774    
775                            if ((user != null) && !user.isDefaultUser() &&
776                                    !user.isReminderQueryComplete()) {
777    
778                                    return _PATH_PORTAL_UPDATE_REMINDER_QUERY;
779                            }
780                    }
781    
782                    // Users must sign in
783    
784                    if (!isPublicPath(path)) {
785                            if (user == null) {
786                                    SessionErrors.add(request, PrincipalException.class.getName());
787    
788                                    return _PATH_PORTAL_LOGIN;
789                            }
790                    }
791    
792                    ActionMapping actionMapping =
793                            (ActionMapping)moduleConfig.findActionConfig(path);
794    
795                    if (actionMapping == null) {
796                            Action strutsAction = StrutsActionRegistryUtil.getAction(path);
797    
798                            if (strutsAction == null) {
799                                    return null;
800                            }
801                    }
802                    else {
803                            path = actionMapping.getPath();
804                    }
805    
806                    // Define the portlet objects
807    
808                    if (isPortletPath(path)) {
809                            try {
810                                    Portlet portlet = null;
811    
812                                    if (Validator.isNotNull(portletId)) {
813                                            portlet = PortletLocalServiceUtil.getPortletById(
814                                                    companyId, portletId);
815                                    }
816    
817                                    if (portlet == null) {
818                                            String strutsPath = path.substring(
819                                                    1, path.lastIndexOf(CharPool.SLASH));
820    
821                                            portlet = PortletLocalServiceUtil.getPortletByStrutsPath(
822                                                    companyId, strutsPath);
823                                    }
824    
825                                    if ((portlet != null) && portlet.isActive()) {
826                                            defineObjects(request, response, portlet);
827                                    }
828                            }
829                            catch (Exception e) {
830                                    request.setAttribute(PageContext.EXCEPTION, e);
831    
832                                    path = _PATH_COMMON_ERROR;
833                            }
834                    }
835    
836                    // Authenticated users must have access to at least one layout
837    
838                    if (SessionErrors.contains(
839                                    request, LayoutPermissionException.class.getName())) {
840    
841                            return _PATH_PORTAL_ERROR;
842                    }
843    
844                    return path;
845            }
846    
847            @Override
848            protected void processPopulate(
849                            HttpServletRequest request, HttpServletResponse response,
850                            ActionForm actionForm, ActionMapping actionMapping)
851                    throws ServletException {
852    
853                    if (actionForm == null) {
854                            return;
855                    }
856    
857                    boolean hasIgnoredParameter = false;
858    
859                    Map<String, String[]> oldParameterMap = request.getParameterMap();
860    
861                    Map<String, String[]> newParameterMap = new LinkedHashMap<>(
862                            oldParameterMap.size());
863    
864                    for (Map.Entry<String, String[]> entry : oldParameterMap.entrySet()) {
865                            String name = entry.getKey();
866    
867                            Matcher matcher = _strutsPortletIgnoredParamtersPattern.matcher(
868                                    name);
869    
870                            if (matcher.matches()) {
871                                    hasIgnoredParameter = true;
872                            }
873                            else {
874                                    newParameterMap.put(name, entry.getValue());
875                            }
876                    }
877    
878                    if (hasIgnoredParameter) {
879                            request = new DynamicServletRequest(
880                                    request, newParameterMap, false);
881                    }
882    
883                    super.processPopulate(request, response, actionForm, actionMapping);
884            }
885    
886            @Override
887            protected boolean processRoles(
888                            HttpServletRequest request, HttpServletResponse response,
889                            ActionMapping actionMapping)
890                    throws IOException, ServletException {
891    
892                    String path = actionMapping.getPath();
893    
894                    if (isPublicPath(path)) {
895                            return true;
896                    }
897    
898                    boolean authorized = true;
899    
900                    User user = null;
901    
902                    try {
903                            user = PortalUtil.getUser(request);
904                    }
905                    catch (Exception e) {
906                    }
907    
908                    if ((user != null) && isPortletPath(path)) {
909                            try {
910    
911                                    // Authenticated users can always log out
912    
913                                    if (path.equals(_PATH_PORTAL_LOGOUT)) {
914                                            return true;
915                                    }
916    
917                                    Portlet portlet = null;
918    
919                                    String portletId = ParamUtil.getString(request, "p_p_id");
920    
921                                    if (Validator.isNotNull(portletId)) {
922                                            portlet = PortletLocalServiceUtil.getPortletById(
923                                                    user.getCompanyId(), portletId);
924                                    }
925    
926                                    String strutsPath = path.substring(
927                                            1, path.lastIndexOf(CharPool.SLASH));
928    
929                                    if (portlet != null) {
930                                            if (!strutsPath.equals(portlet.getStrutsPath())) {
931                                                    throw new PrincipalException.MustBePortletStrutsPath(
932                                                            strutsPath, portletId);
933                                            }
934                                    }
935                                    else {
936                                            portlet = PortletLocalServiceUtil.getPortletByStrutsPath(
937                                                    user.getCompanyId(), strutsPath);
938                                    }
939    
940                                    if ((portlet != null) && portlet.isActive() &&
941                                            !portlet.isSystem()) {
942    
943                                            ThemeDisplay themeDisplay =
944                                                    (ThemeDisplay)request.getAttribute(
945                                                            WebKeys.THEME_DISPLAY);
946    
947                                            Layout layout = themeDisplay.getLayout();
948                                            PermissionChecker permissionChecker =
949                                                    themeDisplay.getPermissionChecker();
950    
951                                            if (!PortletPermissionUtil.contains(
952                                                            permissionChecker, layout, portlet,
953                                                            ActionKeys.VIEW)) {
954    
955                                                    throw new PrincipalException.MustHavePermission(
956                                                            permissionChecker, Portlet.class.getName(),
957                                                            portlet.getPortletId(), ActionKeys.VIEW);
958                                            }
959                                    }
960                                    else if ((portlet != null) && !portlet.isActive()) {
961                                            SessionErrors.add(
962                                                    request, PortletActiveException.class.getName());
963    
964                                            authorized = false;
965                                    }
966                            }
967                            catch (Exception e) {
968                                    SessionErrors.add(request, PrincipalException.class.getName());
969    
970                                    authorized = false;
971                            }
972                    }
973    
974                    if (!authorized) {
975                            ForwardConfig forwardConfig = actionMapping.findForward(
976                                    _PATH_PORTAL_ERROR);
977    
978                            processForwardConfig(request, response, forwardConfig);
979    
980                            return false;
981                    }
982                    else {
983                            return true;
984                    }
985            }
986    
987            private static final String _PATH_C = "/c";
988    
989            private static final String _PATH_COMMON = "/common";
990    
991            private static final String _PATH_COMMON_ERROR = "/common/error";
992    
993            private static final String _PATH_J_SECURITY_CHECK = "/j_security_check";
994    
995            private static final String _PATH_PORTAL = "/portal";
996    
997            private static final String _PATH_PORTAL_API_JSONWS = "/portal/api/jsonws";
998    
999            private static final String _PATH_PORTAL_ERROR = "/portal/error";
1000    
1001            private static final String _PATH_PORTAL_EXPIRE_SESSION =
1002                    "/portal/expire_session";
1003    
1004            private static final String _PATH_PORTAL_EXTEND_SESSION =
1005                    "/portal/extend_session";
1006    
1007            private static final String _PATH_PORTAL_FLASH = "/portal/flash";
1008    
1009            private static final String _PATH_PORTAL_J_LOGIN = "/portal/j_login";
1010    
1011            private static final String _PATH_PORTAL_JSON_SERVICE =
1012                    "/portal/json_service";
1013    
1014            private static final String _PATH_PORTAL_LAYOUT = "/portal/layout";
1015    
1016            private static final String _PATH_PORTAL_LICENSE = "/portal/license";
1017    
1018            private static final String _PATH_PORTAL_LOGIN = "/portal/login";
1019    
1020            private static final String _PATH_PORTAL_LOGOUT = "/portal/logout";
1021    
1022            private static final String _PATH_PORTAL_PROTECTED = "/portal/protected";
1023    
1024            private static final String _PATH_PORTAL_RENDER_PORTLET =
1025                    "/portal/render_portlet";
1026    
1027            private static final String _PATH_PORTAL_RESILIENCY = "/portal/resiliency";
1028    
1029            private static final String _PATH_PORTAL_SETUP_WIZARD =
1030                    "/portal/setup_wizard";
1031    
1032            private static final String _PATH_PORTAL_STATUS = "/portal/status";
1033    
1034            private static final String _PATH_PORTAL_TCK = "/portal/tck";
1035    
1036            private static final String _PATH_PORTAL_TERMS_OF_USE =
1037                    "/portal/terms_of_use";
1038    
1039            private static final String _PATH_PORTAL_UPDATE_EMAIL_ADDRESS =
1040                    "/portal/update_email_address";
1041    
1042            private static final String _PATH_PORTAL_UPDATE_LANGUAGE =
1043                    "/portal/update_language";
1044    
1045            private static final String _PATH_PORTAL_UPDATE_PASSWORD =
1046                    "/portal/update_password";
1047    
1048            private static final String _PATH_PORTAL_UPDATE_REMINDER_QUERY =
1049                    "/portal/update_reminder_query";
1050    
1051            private static final String _PATH_PORTAL_UPDATE_TERMS_OF_USE =
1052                    "/portal/update_terms_of_use";
1053    
1054            private static final String _PATH_PORTAL_VERIFY_EMAIL_ADDRESS =
1055                    "/portal/verify_email_address";
1056    
1057            private static final Log _log = LogFactoryUtil.getLog(
1058                    PortalRequestProcessor.class);
1059    
1060            private static final Pattern _strutsPortletIgnoredParamtersPattern =
1061                    Pattern.compile(PropsValues.STRUTS_PORTLET_IGNORED_PARAMETERS_REGEXP);
1062    
1063            private final Set<String> _lastPaths;
1064            private final Set<String> _publicPaths;
1065            private final Set<String> _trackerIgnorePaths;
1066    
1067    }