001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.log.Log;
019 import com.liferay.portal.kernel.log.LogFactoryUtil;
020 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
021 import com.liferay.portal.kernel.util.GetterUtil;
022 import com.liferay.portal.kernel.util.ParamUtil;
023 import com.liferay.portal.kernel.util.PwdGenerator;
024 import com.liferay.portal.kernel.util.ReflectionUtil;
025 import com.liferay.portal.kernel.util.Validator;
026 import com.liferay.portal.kernel.util.WebKeys;
027 import com.liferay.portal.model.Layout;
028 import com.liferay.portal.model.LayoutTypePortlet;
029 import com.liferay.portal.model.Portlet;
030 import com.liferay.portal.service.LayoutLocalServiceUtil;
031 import com.liferay.portal.service.PortletLocalServiceUtil;
032 import com.liferay.portal.service.permission.PortletPermissionUtil;
033 import com.liferay.portal.util.PortalUtil;
034 import com.liferay.portal.util.PropsValues;
035 import com.liferay.portlet.SecurityPortletContainerWrapper;
036
037 import javax.portlet.PortletRequest;
038
039 import javax.servlet.http.HttpServletRequest;
040 import javax.servlet.http.HttpServletRequestWrapper;
041 import javax.servlet.http.HttpSession;
042
043
046 public class SessionAuthToken implements AuthToken {
047
048 @Override
049 public void addCSRFToken(
050 HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
051
052 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
053 return;
054 }
055
056 String lifecycle = liferayPortletURL.getLifecycle();
057
058 if (!lifecycle.equals(PortletRequest.ACTION_PHASE)) {
059 return;
060 }
061
062 if (AuthTokenWhitelistUtil.isPortletURLCSRFWhitelisted(
063 liferayPortletURL)) {
064
065 return;
066 }
067
068 liferayPortletURL.setParameter("p_auth", getToken(request));
069 }
070
071 @Override
072 public void addPortletInvocationToken(
073 HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
074
075 if (!PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
076 return;
077 }
078
079 long companyId = PortalUtil.getCompanyId(request);
080
081 String portletId = liferayPortletURL.getPortletId();
082
083 Portlet portlet = PortletLocalServiceUtil.getPortletById(
084 companyId, portletId);
085
086 if (portlet == null) {
087 return;
088 }
089
090 if (!portlet.isAddDefaultResource()) {
091 return;
092 }
093
094 if (AuthTokenWhitelistUtil.isPortletURLPortletInvocationWhitelisted(
095 liferayPortletURL)) {
096
097 return;
098 }
099
100 long plid = liferayPortletURL.getPlid();
101
102 try {
103 Layout layout = LayoutLocalServiceUtil.getLayout(plid);
104
105 LayoutTypePortlet layoutTypePortlet =
106 (LayoutTypePortlet)layout.getLayoutType();
107
108 if (layoutTypePortlet.hasPortletId(portletId)) {
109 return;
110 }
111 }
112 catch (Exception e) {
113 if (_log.isDebugEnabled()) {
114 _log.debug(e.getMessage(), e);
115 }
116 }
117
118 liferayPortletURL.setParameter(
119 "p_p_auth", getToken(request, plid, portletId));
120 }
121
122
125 @Deprecated
126 @Override
127 public void check(HttpServletRequest request) throws PrincipalException {
128 checkCSRFToken(
129 request, SecurityPortletContainerWrapper.class.getName());
130 }
131
132 @Override
133 public void checkCSRFToken(HttpServletRequest request, String origin)
134 throws PrincipalException {
135
136 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
137 return;
138 }
139
140 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
141
142 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
143 return;
144 }
145
146 long companyId = PortalUtil.getCompanyId(request);
147
148 if (AuthTokenWhitelistUtil.isOriginCSRFWhitelisted(companyId, origin)) {
149 return;
150 }
151
152 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
153 String ppid = ParamUtil.getString(request, "p_p_id");
154
155 Portlet portlet = PortletLocalServiceUtil.getPortletById(
156 companyId, ppid);
157
158 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
159 request, portlet)) {
160
161 return;
162 }
163 }
164
165 String csrfToken = ParamUtil.getString(request, "p_auth");
166
167 if (Validator.isNull(csrfToken)) {
168 csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
169 }
170
171 String sessionToken = getSessionAuthenticationToken(
172 request, _CSRF, false);
173
174 if (!csrfToken.equals(sessionToken)) {
175 throw new PrincipalException.MustBeAuthenticated(
176 PortalUtil.getUserId(request));
177 }
178 }
179
180 @Override
181 public String getToken(HttpServletRequest request) {
182 return getSessionAuthenticationToken(request, _CSRF, true);
183 }
184
185 @Override
186 public String getToken(
187 HttpServletRequest request, long plid, String portletId) {
188
189 return getSessionAuthenticationToken(
190 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
191 true);
192 }
193
194 @Override
195 public boolean isValidPortletInvocationToken(
196 HttpServletRequest request, Layout layout, Portlet portlet) {
197
198 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
199 request, portlet)) {
200
201 return true;
202 }
203
204 long plid = layout.getPlid();
205
206 String portletId = portlet.getPortletId();
207
208 String portletToken = ParamUtil.getString(request, "p_p_auth");
209
210 if (Validator.isNull(portletToken)) {
211 HttpServletRequest originalRequest =
212 PortalUtil.getOriginalServletRequest(request);
213
214 portletToken = ParamUtil.getString(originalRequest, "p_p_auth");
215 }
216
217 if (Validator.isNotNull(portletToken)) {
218 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
219
220 String sessionToken = getSessionAuthenticationToken(
221 request, key, false);
222
223 if (Validator.isNotNull(sessionToken) &&
224 sessionToken.equals(portletToken)) {
225
226 return true;
227 }
228 }
229
230 return false;
231 }
232
233 @Deprecated
234 @Override
235 public boolean isValidPortletInvocationToken(
236 HttpServletRequest request, long plid, String portletId,
237 String strutsAction, String tokenValue) {
238
239 try {
240 Layout layout = LayoutLocalServiceUtil.getLayout(plid);
241 Portlet portlet = PortletLocalServiceUtil.getPortletById(portletId);
242
243 return isValidPortletInvocationToken(request, layout, portlet);
244 }
245 catch (PortalException e) {
246 ReflectionUtil.throwException(e);
247 }
248
249 return false;
250 }
251
252 protected String getSessionAuthenticationToken(
253 HttpServletRequest request, String key, boolean createToken) {
254
255 String sessionAuthenticationToken = null;
256
257 HttpServletRequest currentRequest = request;
258 HttpSession session = null;
259 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
260
261 while (currentRequest instanceof HttpServletRequestWrapper) {
262 HttpServletRequestWrapper httpServletRequestWrapper =
263 (HttpServletRequestWrapper)currentRequest;
264
265 session = currentRequest.getSession();
266
267 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
268
269 if (Validator.isNotNull(sessionAuthenticationToken)) {
270 break;
271 }
272
273 currentRequest =
274 (HttpServletRequest)httpServletRequestWrapper.getRequest();
275 }
276
277 if (session == null ) {
278 session = currentRequest.getSession();
279
280 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
281 }
282
283 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
284 sessionAuthenticationToken = PwdGenerator.getPassword(
285 PropsValues.AUTH_TOKEN_LENGTH);
286
287 session.setAttribute(tokenKey, sessionAuthenticationToken);
288 }
289
290 return sessionAuthenticationToken;
291 }
292
293 private static final String _CSRF = "#CSRF";
294
295 private static final Log _log = LogFactoryUtil.getLog(
296 SessionAuthToken.class);
297
298 }