001
014
015 package com.liferay.portal.struts;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.json.JSONFactoryUtil;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
022 import com.liferay.portal.kernel.servlet.HttpHeaders;
023 import com.liferay.portal.kernel.servlet.ServletContextPool;
024 import com.liferay.portal.kernel.util.ClassUtil;
025 import com.liferay.portal.kernel.util.ContentTypes;
026 import com.liferay.portal.kernel.util.GetterUtil;
027 import com.liferay.portal.kernel.util.ParamUtil;
028 import com.liferay.portal.kernel.util.SetUtil;
029 import com.liferay.portal.kernel.util.StringBundler;
030 import com.liferay.portal.kernel.util.StringPool;
031 import com.liferay.portal.kernel.util.Validator;
032 import com.liferay.portal.kernel.util.WebKeys;
033 import com.liferay.portal.security.auth.AuthTokenUtil;
034 import com.liferay.portal.servlet.SharedSessionServletRequest;
035 import com.liferay.portal.util.PortalUtil;
036 import com.liferay.portal.util.PropsValues;
037
038 import java.io.OutputStream;
039
040 import java.util.Set;
041
042 import javax.servlet.RequestDispatcher;
043 import javax.servlet.ServletContext;
044 import javax.servlet.http.HttpServletRequest;
045 import javax.servlet.http.HttpServletResponse;
046
047 import org.apache.struts.action.Action;
048 import org.apache.struts.action.ActionForm;
049 import org.apache.struts.action.ActionForward;
050 import org.apache.struts.action.ActionMapping;
051
052
057 public abstract class JSONAction extends Action {
058
059 @Override
060 public ActionForward execute(
061 ActionMapping actionMapping, ActionForm actionForm,
062 HttpServletRequest request, HttpServletResponse response)
063 throws Exception {
064
065 if (rerouteExecute(request, response)) {
066 return null;
067 }
068
069 String callback = ParamUtil.getString(request, "callback");
070
071 String json = null;
072
073 try {
074 checkAuthToken(request);
075
076 json = getJSON(actionMapping, actionForm, request, response);
077
078 if (Validator.isNotNull(callback)) {
079 StringBundler sb = new StringBundler(5);
080
081 sb.append("");
082 sb.append(callback);
083 sb.append(StringPool.OPEN_PARENTHESIS);
084 sb.append(json);
085 sb.append(StringPool.CLOSE_PARENTHESIS);
086
087 json = sb.toString();
088 }
089 }
090 catch (SecurityException se) {
091 if (_log.isWarnEnabled()) {
092 _log.warn(se.getMessage());
093 }
094
095 json = JSONFactoryUtil.serializeThrowable(se);
096 }
097 catch (Exception e) {
098 _log.error(e, e);
099
100 PortalUtil.sendError(
101 HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
102 response);
103
104 return null;
105 }
106
107 boolean refresh = ParamUtil.getBoolean(request, "refresh");
108
109 if (refresh) {
110 return actionMapping.findForward(ActionConstants.COMMON_REFERER);
111 }
112 else if (Validator.isNotNull(json)) {
113 response.setCharacterEncoding(StringPool.UTF8);
114 response.setContentType(ContentTypes.APPLICATION_JSON);
115 response.setHeader(
116 HttpHeaders.CACHE_CONTROL,
117 HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
118
119 try (OutputStream outputStream = response.getOutputStream()) {
120 byte[] bytes = json.getBytes(StringPool.UTF8);
121
122 outputStream.write(bytes);
123 }
124 }
125
126 return null;
127 }
128
129 public abstract String getJSON(
130 ActionMapping actionMapping, ActionForm actionForm,
131 HttpServletRequest request, HttpServletResponse response)
132 throws Exception;
133
134 public void setServletContext(ServletContext servletContext) {
135 _servletContext = servletContext;
136 }
137
138 protected void checkAuthToken(HttpServletRequest request)
139 throws PortalException {
140
141 String authType = GetterUtil.getString(request.getAuthType());
142
143
144
145 if (AccessControlUtil.getAccessControlContext() == null) {
146 if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
147 authType.equals(HttpServletRequest.DIGEST_AUTH)) {
148
149 return;
150 }
151 }
152 else {
153
154
155
156
157 if (!authType.equals(HttpServletRequest.FORM_AUTH)) {
158 return;
159 }
160 }
161
162 if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
163 if (!AccessControlUtil.isAccessAllowed(request, _hostsAllowed)) {
164 AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
165 }
166 }
167 }
168
169 protected String getCSRFOrigin(HttpServletRequest request) {
170 return ClassUtil.getClassName(this);
171 }
172
173 protected String getReroutePath() {
174 return null;
175 }
176
177 protected boolean rerouteExecute(
178 HttpServletRequest request, HttpServletResponse response)
179 throws Exception {
180
181 String reroutePath = getReroutePath();
182
183 if (Validator.isNull(reroutePath)) {
184 return false;
185 }
186
187 String requestServletContextName = ParamUtil.getString(
188 request, "servletContextName");
189
190 if (Validator.isNull(requestServletContextName)) {
191 return false;
192 }
193
194 ServletContext servletContext = _servletContext;
195
196 if (servletContext == null) {
197 servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
198 }
199
200 String servletContextName = GetterUtil.getString(
201 servletContext.getServletContextName());
202
203 if (servletContextName.equals(requestServletContextName)) {
204 return false;
205 }
206
207 ServletContext requestServletContext = ServletContextPool.get(
208 requestServletContextName);
209
210 if (requestServletContext == null) {
211 return false;
212 }
213
214 RequestDispatcher requestDispatcher =
215 requestServletContext.getRequestDispatcher(reroutePath);
216
217 if (requestDispatcher == null) {
218 return false;
219 }
220
221 requestDispatcher.forward(
222 new SharedSessionServletRequest(request, true), response);
223
224 return true;
225 }
226
227 private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
228
229 private final Set<String> _hostsAllowed = SetUtil.fromArray(
230 PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
231 private ServletContext _servletContext;
232
233 }