001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.concurrent.ConcurrentHashSet;
018 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
019 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
020 import com.liferay.portal.kernel.util.PropsKeys;
021 import com.liferay.portal.kernel.util.Validator;
022 import com.liferay.portal.model.Portlet;
023 import com.liferay.portal.model.PortletConstants;
024 import com.liferay.portal.util.PropsValues;
025 import com.liferay.util.Encryptor;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030
031
035 @DoPrivileged
036 public class AuthTokenWhitelistImpl extends BaseAuthTokenWhitelist {
037
038 public AuthTokenWhitelistImpl() {
039 trackWhitelistServices(
040 PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS, _originCSRFWhitelist);
041
042 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS);
043
044 trackWhitelistServices(
045 PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS, _portletCSRFWhitelist);
046
047 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS);
048
049 trackWhitelistServices(
050 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST,
051 _portletInvocationWhitelist);
052
053 registerPortalProperty(
054 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
055 }
056
057
060 @Deprecated
061 @Override
062 public Set<String> getOriginCSRFWhitelist() {
063 return _originCSRFWhitelist;
064 }
065
066
069 @Deprecated
070 @Override
071 public Set<String> getPortletCSRFWhitelist() {
072 return _portletCSRFWhitelist;
073 }
074
075 @Deprecated
076 @Override
077 public Set<String> getPortletInvocationWhitelist() {
078 return _portletInvocationWhitelist;
079 }
080
081 @Override
082 public boolean isOriginCSRFWhitelisted(long companyId, String origin) {
083 for (String whitelistedOrigin : _originCSRFWhitelist) {
084 if (origin.startsWith(whitelistedOrigin)) {
085 return true;
086 }
087 }
088
089 return false;
090 }
091
092 @Override
093 public boolean isPortletCSRFWhitelisted(
094 HttpServletRequest request, Portlet portlet) {
095
096 return _portletCSRFWhitelist.contains(portlet.getRootPortletId());
097 }
098
099 @Override
100 public boolean isPortletInvocationWhitelisted(
101 HttpServletRequest request, Portlet portlet) {
102
103 return _portletInvocationWhitelist.contains(portlet.getPortletId());
104 }
105
106 @Override
107 public boolean isPortletURLCSRFWhitelisted(
108 LiferayPortletURL liferayPortletURL) {
109
110 String rootPortletId = PortletConstants.getRootPortletId(
111 liferayPortletURL.getPortletId());
112
113 return _portletCSRFWhitelist.contains(rootPortletId);
114 }
115
116 @Override
117 public boolean isPortletURLPortletInvocationWhitelisted(
118 LiferayPortletURL liferayPortletURL) {
119
120 return _portletInvocationWhitelist.contains(
121 liferayPortletURL.getPortletId());
122 }
123
124 @Override
125 public boolean isValidSharedSecret(String sharedSecret) {
126 if (Validator.isNull(sharedSecret)) {
127 return false;
128 }
129
130 if (Validator.isNull(PropsValues.AUTH_TOKEN_SHARED_SECRET)) {
131 return false;
132 }
133
134 return sharedSecret.equals(
135 Encryptor.digest(PropsValues.AUTH_TOKEN_SHARED_SECRET));
136 }
137
138 private final Set<String> _originCSRFWhitelist = new ConcurrentHashSet<>();
139 private final Set<String> _portletCSRFWhitelist = new ConcurrentHashSet<>();
140 private final Set<String> _portletInvocationWhitelist =
141 new ConcurrentHashSet<>();
142
143 }