001
014
015 package com.liferay.portal.security.access.control;
016
017 import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
018 import com.liferay.portal.kernel.security.access.control.AccessControlled;
019 import com.liferay.portal.kernel.security.access.control.BaseAccessControlPolicy;
020 import com.liferay.portal.kernel.util.MapUtil;
021 import com.liferay.portal.kernel.util.SetUtil;
022 import com.liferay.portal.kernel.util.StringUtil;
023 import com.liferay.portal.security.auth.AccessControlContext;
024
025 import java.lang.reflect.Method;
026
027 import java.util.Map;
028 import java.util.Set;
029
030 import javax.servlet.http.HttpServletRequest;
031
032
038 public class AllowedHostsAccessControlPolicy extends BaseAccessControlPolicy {
039
040 @Override
041 public void onServiceRemoteAccess(
042 Method method, Object[] arguments,
043 AccessControlled accessControlled)
044 throws SecurityException {
045
046 if (!accessControlled.hostAllowedValidationEnabled()) {
047 return;
048 }
049
050 AccessControlContext accessControlContext =
051 AccessControlUtil.getAccessControlContext();
052
053 if (accessControlContext == null) {
054 return;
055 }
056
057 Map<String, Object> settings = accessControlContext.getSettings();
058
059 int serviceDepth = (Integer)settings.get(
060 AccessControlContext.Settings.SERVICE_DEPTH.toString());
061
062 if (serviceDepth > 1) {
063 return;
064 }
065
066 HttpServletRequest request = accessControlContext.getRequest();
067
068 String hostsAllowedString = MapUtil.getString(
069 accessControlContext.getSettings(), "hosts.allowed");
070
071 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
072
073 Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
074
075 if (!AccessControlUtil.isAccessAllowed(request, hostsAllowedSet)) {
076 throw new SecurityException(
077 "Access denied for " + request.getRemoteAddr());
078 }
079 }
080
081 }