001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.portlet.LiferayPortletURL;
021    import com.liferay.portal.kernel.util.GetterUtil;
022    import com.liferay.portal.kernel.util.ParamUtil;
023    import com.liferay.portal.kernel.util.PwdGenerator;
024    import com.liferay.portal.kernel.util.ReflectionUtil;
025    import com.liferay.portal.kernel.util.Validator;
026    import com.liferay.portal.kernel.util.WebKeys;
027    import com.liferay.portal.model.Layout;
028    import com.liferay.portal.model.LayoutTypePortlet;
029    import com.liferay.portal.model.Portlet;
030    import com.liferay.portal.service.LayoutLocalServiceUtil;
031    import com.liferay.portal.service.PortletLocalServiceUtil;
032    import com.liferay.portal.service.permission.PortletPermissionUtil;
033    import com.liferay.portal.util.PortalUtil;
034    import com.liferay.portal.util.PropsValues;
035    import com.liferay.portlet.SecurityPortletContainerWrapper;
036    
037    import javax.portlet.PortletRequest;
038    
039    import javax.servlet.http.HttpServletRequest;
040    import javax.servlet.http.HttpServletRequestWrapper;
041    import javax.servlet.http.HttpSession;
042    
043    /**
044     * @author Amos Fong
045     */
046    public class SessionAuthToken implements AuthToken {
047    
048            @Override
049            public void addCSRFToken(
050                    HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
051    
052                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
053                            return;
054                    }
055    
056                    String lifecycle = liferayPortletURL.getLifecycle();
057    
058                    if (!lifecycle.equals(PortletRequest.ACTION_PHASE)) {
059                            return;
060                    }
061    
062                    if (AuthTokenWhitelistUtil.isPortletURLCSRFWhitelisted(
063                                    liferayPortletURL)) {
064    
065                            return;
066                    }
067    
068                    liferayPortletURL.setParameter("p_auth", getToken(request));
069            }
070    
071            @Override
072            public void addPortletInvocationToken(
073                    HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
074    
075                    if (!PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
076                            return;
077                    }
078    
079                    long companyId = PortalUtil.getCompanyId(request);
080    
081                    String portletId = liferayPortletURL.getPortletId();
082    
083                    Portlet portlet = PortletLocalServiceUtil.getPortletById(
084                            companyId, portletId);
085    
086                    if (portlet == null) {
087                            return;
088                    }
089    
090                    if (!portlet.isAddDefaultResource()) {
091                            return;
092                    }
093    
094                    if (AuthTokenWhitelistUtil.isPortletURLPortletInvocationWhitelisted(
095                                    liferayPortletURL)) {
096    
097                            return;
098                    }
099    
100                    long plid = liferayPortletURL.getPlid();
101    
102                    try {
103                            Layout layout = LayoutLocalServiceUtil.getLayout(plid);
104    
105                            LayoutTypePortlet layoutTypePortlet =
106                                    (LayoutTypePortlet)layout.getLayoutType();
107    
108                            if (layoutTypePortlet.hasPortletId(portletId)) {
109                                    return;
110                            }
111                    }
112                    catch (Exception e) {
113                            if (_log.isDebugEnabled()) {
114                                    _log.debug(e.getMessage(), e);
115                            }
116                    }
117    
118                    liferayPortletURL.setParameter(
119                            "p_p_auth", getToken(request, plid, portletId));
120            }
121    
122            /**
123             * @deprecated As of 7.0.0
124             */
125            @Deprecated
126            @Override
127            public void check(HttpServletRequest request) throws PrincipalException {
128                    checkCSRFToken(
129                            request, SecurityPortletContainerWrapper.class.getName());
130            }
131    
132            @Override
133            public void checkCSRFToken(HttpServletRequest request, String origin)
134                    throws PrincipalException {
135    
136                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
137                            return;
138                    }
139    
140                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
141    
142                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
143                            return;
144                    }
145    
146                    long companyId = PortalUtil.getCompanyId(request);
147    
148                    if (AuthTokenWhitelistUtil.isOriginCSRFWhitelisted(companyId, origin)) {
149                            return;
150                    }
151    
152                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
153                            String ppid = ParamUtil.getString(request, "p_p_id");
154    
155                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
156                                    companyId, ppid);
157    
158                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
159                                            request, portlet)) {
160    
161                                    return;
162                            }
163                    }
164    
165                    String csrfToken = ParamUtil.getString(request, "p_auth");
166    
167                    if (Validator.isNull(csrfToken)) {
168                            csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
169                    }
170    
171                    String sessionToken = getSessionAuthenticationToken(
172                            request, _CSRF, false);
173    
174                    if (!csrfToken.equals(sessionToken)) {
175                            throw new PrincipalException.MustBeAuthenticated(
176                                    PortalUtil.getUserId(request));
177                    }
178            }
179    
180            @Override
181            public String getToken(HttpServletRequest request) {
182                    return getSessionAuthenticationToken(request, _CSRF, true);
183            }
184    
185            @Override
186            public String getToken(
187                    HttpServletRequest request, long plid, String portletId) {
188    
189                    return getSessionAuthenticationToken(
190                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
191                            true);
192            }
193    
194            @Override
195            public boolean isValidPortletInvocationToken(
196                    HttpServletRequest request, Layout layout, Portlet portlet) {
197    
198                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
199                                    request, portlet)) {
200    
201                            return true;
202                    }
203    
204                    long plid = layout.getPlid();
205    
206                    String portletId = portlet.getPortletId();
207    
208                    String portletToken = ParamUtil.getString(request, "p_p_auth");
209    
210                    if (Validator.isNull(portletToken)) {
211                            HttpServletRequest originalRequest =
212                                    PortalUtil.getOriginalServletRequest(request);
213    
214                            portletToken = ParamUtil.getString(originalRequest, "p_p_auth");
215                    }
216    
217                    if (Validator.isNotNull(portletToken)) {
218                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
219    
220                            String sessionToken = getSessionAuthenticationToken(
221                                    request, key, false);
222    
223                            if (Validator.isNotNull(sessionToken) &&
224                                    sessionToken.equals(portletToken)) {
225    
226                                    return true;
227                            }
228                    }
229    
230                    return false;
231            }
232    
233            @Deprecated
234            @Override
235            public boolean isValidPortletInvocationToken(
236                    HttpServletRequest request, long plid, String portletId,
237                    String strutsAction, String tokenValue) {
238    
239                    try {
240                            Layout layout = LayoutLocalServiceUtil.getLayout(plid);
241                            Portlet portlet = PortletLocalServiceUtil.getPortletById(portletId);
242    
243                            return isValidPortletInvocationToken(request, layout, portlet);
244                    }
245                    catch (PortalException e) {
246                            ReflectionUtil.throwException(e);
247                    }
248    
249                    return false;
250            }
251    
252            protected String getSessionAuthenticationToken(
253                    HttpServletRequest request, String key, boolean createToken) {
254    
255                    String sessionAuthenticationToken = null;
256    
257                    HttpServletRequest currentRequest = request;
258                    HttpSession session = null;
259                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
260    
261                    while (currentRequest instanceof HttpServletRequestWrapper) {
262                            HttpServletRequestWrapper httpServletRequestWrapper =
263                                    (HttpServletRequestWrapper)currentRequest;
264    
265                            session = currentRequest.getSession();
266    
267                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
268    
269                            if (Validator.isNotNull(sessionAuthenticationToken)) {
270                                    break;
271                            }
272    
273                            currentRequest =
274                                    (HttpServletRequest)httpServletRequestWrapper.getRequest();
275                    }
276    
277                    if (session == null ) {
278                            session = currentRequest.getSession();
279    
280                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
281                    }
282    
283                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
284                            sessionAuthenticationToken = PwdGenerator.getPassword(
285                                    PropsValues.AUTH_TOKEN_LENGTH);
286    
287                            session.setAttribute(tokenKey, sessionAuthenticationToken);
288                    }
289    
290                    return sessionAuthenticationToken;
291            }
292    
293            private static final String _CSRF = "#CSRF";
294    
295            private static final Log _log = LogFactoryUtil.getLog(
296                    SessionAuthToken.class);
297    
298    }