001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.servlet.filters.autologin;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
020    import com.liferay.portal.kernel.security.auto.login.AutoLogin;
021    import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
022    import com.liferay.portal.kernel.util.GetterUtil;
023    import com.liferay.portal.kernel.util.StackTraceUtil;
024    import com.liferay.portal.kernel.util.StringBundler;
025    import com.liferay.portal.kernel.util.StringPool;
026    import com.liferay.portal.kernel.util.StringUtil;
027    import com.liferay.portal.kernel.util.Validator;
028    import com.liferay.portal.kernel.util.WebKeys;
029    import com.liferay.portal.model.User;
030    import com.liferay.portal.security.pwd.PasswordEncryptorUtil;
031    import com.liferay.portal.service.UserLocalServiceUtil;
032    import com.liferay.portal.servlet.filters.BasePortalFilter;
033    import com.liferay.portal.util.Portal;
034    import com.liferay.portal.util.PortalInstances;
035    import com.liferay.portal.util.PortalUtil;
036    import com.liferay.portal.util.PropsValues;
037    import com.liferay.registry.Registry;
038    import com.liferay.registry.RegistryUtil;
039    import com.liferay.registry.ServiceReference;
040    import com.liferay.registry.ServiceTracker;
041    import com.liferay.registry.ServiceTrackerCustomizer;
042    
043    import java.util.List;
044    import java.util.concurrent.CopyOnWriteArrayList;
045    
046    import javax.servlet.FilterChain;
047    import javax.servlet.http.HttpServletRequest;
048    import javax.servlet.http.HttpServletResponse;
049    import javax.servlet.http.HttpSession;
050    
051    /**
052     * @author Brian Wing Shun Chan
053     * @author Peter Fellwock
054     * @author Raymond Aug??
055     */
056    public class AutoLoginFilter extends BasePortalFilter {
057    
058            public AutoLoginFilter() {
059                    Registry registry = RegistryUtil.getRegistry();
060    
061                    _serviceTracker = registry.trackServices(
062                            AutoLogin.class, new AutoLoginServiceTrackerCustomizer());
063    
064                    _serviceTracker.open();
065            }
066    
067            protected String getLoginRemoteUser(
068                            HttpServletRequest request, HttpServletResponse response,
069                            HttpSession session, String[] credentials)
070                    throws Exception {
071    
072                    if ((credentials == null) || (credentials.length != 3)) {
073                            return null;
074                    }
075    
076                    String jUsername = credentials[0];
077                    String jPassword = credentials[1];
078                    boolean encPassword = GetterUtil.getBoolean(credentials[2]);
079    
080                    if (Validator.isNull(jUsername) || Validator.isNull(jPassword)) {
081                            return null;
082                    }
083    
084                    long userId = GetterUtil.getLong(jUsername);
085    
086                    if (userId <= 0) {
087                            return null;
088                    }
089    
090                    User user = UserLocalServiceUtil.fetchUserById(userId);
091    
092                    if ((user == null) || user.isLockout()) {
093                            return null;
094                    }
095    
096                    if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
097                            AuthenticatedSessionManagerUtil.signOutSimultaneousLogins(userId);
098                    }
099    
100                    if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
101                            session = AuthenticatedSessionManagerUtil.renewSession(
102                                    request, session);
103                    }
104    
105                    session.setAttribute("j_username", jUsername);
106    
107                    // Not having access to the unencrypted password will not allow you to
108                    // connect to external resources that require it (mail server)
109    
110                    if (encPassword) {
111                            session.setAttribute("j_password", jPassword);
112                    }
113                    else {
114                            session.setAttribute(
115                                    "j_password",
116                                    PasswordEncryptorUtil.encrypt(jPassword, user.getPassword()));
117    
118                            if (PropsValues.SESSION_STORE_PASSWORD) {
119                                    session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
120                            }
121                    }
122    
123                    session.setAttribute("j_remoteuser", jUsername);
124    
125                    if (PropsValues.PORTAL_JAAS_ENABLE) {
126                            String redirect = PortalUtil.getPathMain().concat(
127                                    "/portal/protected");
128    
129                            if (PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
130                                    String autoLoginRedirect = (String)request.getAttribute(
131                                            AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
132    
133                                    redirect = redirect.concat("?redirect=");
134    
135                                    if (Validator.isNotNull(autoLoginRedirect)) {
136                                            redirect = redirect.concat(autoLoginRedirect);
137                                    }
138                                    else {
139                                            redirect = redirect.concat(
140                                                    PortalUtil.getCurrentCompleteURL(request));
141                                    }
142                            }
143    
144                            response.sendRedirect(redirect);
145                    }
146    
147                    return jUsername;
148            }
149    
150            @Override
151            protected void processFilter(
152                            HttpServletRequest request, HttpServletResponse response,
153                            FilterChain filterChain)
154                    throws Exception {
155    
156                    HttpSession session = request.getSession();
157    
158                    String host = PortalUtil.getHost(request);
159    
160                    if (PortalInstances.isAutoLoginIgnoreHost(host)) {
161                            if (_log.isDebugEnabled()) {
162                                    _log.debug("Ignore host " + host);
163                            }
164    
165                            processFilter(
166                                    AutoLoginFilter.class.getName(), request, response,
167                                    filterChain);
168    
169                            return;
170                    }
171    
172                    String contextPath = PortalUtil.getPathContext();
173    
174                    String path = StringUtil.toLowerCase(request.getRequestURI());
175    
176                    if (!contextPath.equals(StringPool.SLASH) &&
177                            path.contains(contextPath)) {
178    
179                            path = path.substring(contextPath.length());
180                    }
181    
182                    if (PortalInstances.isAutoLoginIgnorePath(path)) {
183                            if (_log.isDebugEnabled()) {
184                                    _log.debug("Ignore path " + path);
185                            }
186    
187                            processFilter(
188                                    AutoLoginFilter.class.getName(), request, response,
189                                    filterChain);
190    
191                            return;
192                    }
193    
194                    String remoteUser = request.getRemoteUser();
195                    String jUserName = (String)session.getAttribute("j_username");
196    
197                    // PLACEHOLDER 01
198                    // PLACEHOLDER 02
199                    // PLACEHOLDER 03
200                    // PLACEHOLDER 04
201                    // PLACEHOLDER 05
202    
203                    if (!PropsValues.AUTH_LOGIN_DISABLED &&
204                            (remoteUser == null) && (jUserName == null)) {
205    
206                            for (AutoLogin autoLogin : _autoLogins) {
207                                    try {
208                                            String[] credentials = autoLogin.login(request, response);
209    
210                                            String redirect = (String)request.getAttribute(
211                                                    AutoLogin.AUTO_LOGIN_REDIRECT);
212    
213                                            if (Validator.isNotNull(redirect)) {
214                                                    response.sendRedirect(redirect);
215    
216                                                    return;
217                                            }
218    
219                                            String loginRemoteUser = getLoginRemoteUser(
220                                                    request, response, session, credentials);
221    
222                                            if (loginRemoteUser != null) {
223                                                    request = new ProtectedServletRequest(
224                                                            request, loginRemoteUser);
225    
226                                                    if (PropsValues.PORTAL_JAAS_ENABLE) {
227                                                            return;
228                                                    }
229    
230                                                    if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
231                                                            redirect = Portal.PATH_MAIN;
232                                                    }
233                                                    else {
234                                                            redirect = (String)request.getAttribute(
235                                                                    AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
236                                                    }
237    
238                                                    if (Validator.isNotNull(redirect)) {
239                                                            response.sendRedirect(redirect);
240    
241                                                            return;
242                                                    }
243                                            }
244                                    }
245                                    catch (Exception e) {
246                                            StringBundler sb = new StringBundler(6);
247    
248                                            sb.append("Current URL ");
249    
250                                            String currentURL = PortalUtil.getCurrentURL(request);
251    
252                                            sb.append(currentURL);
253    
254                                            sb.append(" generates exception: ");
255                                            sb.append(e.getMessage());
256    
257                                            if (_log.isInfoEnabled()) {
258                                                    sb.append(" stack: ");
259                                                    sb.append(StackTraceUtil.getStackTrace(e));
260                                            }
261    
262                                            if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
263                                                    if (_log.isWarnEnabled()) {
264                                                            _log.warn(sb.toString());
265                                                    }
266                                            }
267                                            else {
268                                                    _log.error(sb.toString());
269                                            }
270                                    }
271                            }
272                    }
273    
274                    processFilter(
275                            AutoLoginFilter.class.getName(), request, response, filterChain);
276            }
277    
278            private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
279    
280            private static final Log _log = LogFactoryUtil.getLog(
281                    AutoLoginFilter.class);
282    
283            private static final List<AutoLogin> _autoLogins =
284                    new CopyOnWriteArrayList<>();
285    
286            private final ServiceTracker<?, AutoLogin> _serviceTracker;
287    
288            private class AutoLoginServiceTrackerCustomizer
289                    implements ServiceTrackerCustomizer<AutoLogin, AutoLogin> {
290    
291                    @Override
292                    public AutoLogin addingService(
293                            ServiceReference<AutoLogin> serviceReference) {
294    
295                            Registry registry = RegistryUtil.getRegistry();
296    
297                            AutoLogin autoLogin = registry.getService(serviceReference);
298    
299                            if (autoLogin == null) {
300                                    return null;
301                            }
302    
303                            _autoLogins.add(autoLogin);
304    
305                            return autoLogin;
306                    }
307    
308                    @Override
309                    public void modifiedService(
310                            ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
311                    }
312    
313                    @Override
314                    public void removedService(
315                            ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
316    
317                            Registry registry = RegistryUtil.getRegistry();
318    
319                            registry.ungetService(serviceReference);
320    
321                            _autoLogins.remove(autoLogin);
322                    }
323    
324            }
325    
326    }