001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.access.control;
016    
017    import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
018    import com.liferay.portal.kernel.security.access.control.AccessControlled;
019    import com.liferay.portal.kernel.security.access.control.BaseAccessControlPolicy;
020    import com.liferay.portal.kernel.util.MapUtil;
021    import com.liferay.portal.kernel.util.SetUtil;
022    import com.liferay.portal.kernel.util.StringUtil;
023    import com.liferay.portal.security.auth.AccessControlContext;
024    
025    import java.lang.reflect.Method;
026    
027    import java.util.Map;
028    import java.util.Set;
029    
030    import javax.servlet.http.HttpServletRequest;
031    
032    /**
033     * @author Tomas Polesovsky
034     * @author Igor Spasic
035     * @author Michael C. Han
036     * @author Raymond Aug??
037     */
038    public class AllowedHostsAccessControlPolicy extends BaseAccessControlPolicy {
039    
040            @Override
041            public void onServiceRemoteAccess(
042                            Method method, Object[] arguments,
043                            AccessControlled accessControlled)
044                    throws SecurityException {
045    
046                    if (!accessControlled.hostAllowedValidationEnabled()) {
047                            return;
048                    }
049    
050                    AccessControlContext accessControlContext =
051                            AccessControlUtil.getAccessControlContext();
052    
053                    if (accessControlContext == null) {
054                            return;
055                    }
056    
057                    Map<String, Object> settings = accessControlContext.getSettings();
058    
059                    int serviceDepth = (Integer)settings.get(
060                            AccessControlContext.Settings.SERVICE_DEPTH.toString());
061    
062                    if (serviceDepth > 1) {
063                            return;
064                    }
065    
066                    HttpServletRequest request = accessControlContext.getRequest();
067    
068                    String hostsAllowedString = MapUtil.getString(
069                            accessControlContext.getSettings(), "hosts.allowed");
070    
071                    String[] hostsAllowed = StringUtil.split(hostsAllowedString);
072    
073                    Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
074    
075                    if (!AccessControlUtil.isAccessAllowed(request, hostsAllowedSet)) {
076                            throw new SecurityException(
077                                    "Access denied for " + request.getRemoteAddr());
078                    }
079            }
080    
081    }