001
014
015 package com.liferay.portal.servlet.filters.autologin;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
020 import com.liferay.portal.kernel.security.auto.login.AutoLogin;
021 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.StackTraceUtil;
024 import com.liferay.portal.kernel.util.StringBundler;
025 import com.liferay.portal.kernel.util.StringPool;
026 import com.liferay.portal.kernel.util.StringUtil;
027 import com.liferay.portal.kernel.util.Validator;
028 import com.liferay.portal.kernel.util.WebKeys;
029 import com.liferay.portal.model.User;
030 import com.liferay.portal.security.pwd.PasswordEncryptorUtil;
031 import com.liferay.portal.service.UserLocalServiceUtil;
032 import com.liferay.portal.servlet.filters.BasePortalFilter;
033 import com.liferay.portal.util.Portal;
034 import com.liferay.portal.util.PortalInstances;
035 import com.liferay.portal.util.PortalUtil;
036 import com.liferay.portal.util.PropsValues;
037 import com.liferay.registry.Registry;
038 import com.liferay.registry.RegistryUtil;
039 import com.liferay.registry.ServiceReference;
040 import com.liferay.registry.ServiceTracker;
041 import com.liferay.registry.ServiceTrackerCustomizer;
042
043 import java.util.List;
044 import java.util.concurrent.CopyOnWriteArrayList;
045
046 import javax.servlet.FilterChain;
047 import javax.servlet.http.HttpServletRequest;
048 import javax.servlet.http.HttpServletResponse;
049 import javax.servlet.http.HttpSession;
050
051
056 public class AutoLoginFilter extends BasePortalFilter {
057
058 public AutoLoginFilter() {
059 Registry registry = RegistryUtil.getRegistry();
060
061 _serviceTracker = registry.trackServices(
062 AutoLogin.class, new AutoLoginServiceTrackerCustomizer());
063
064 _serviceTracker.open();
065 }
066
067 protected String getLoginRemoteUser(
068 HttpServletRequest request, HttpServletResponse response,
069 HttpSession session, String[] credentials)
070 throws Exception {
071
072 if ((credentials == null) || (credentials.length != 3)) {
073 return null;
074 }
075
076 String jUsername = credentials[0];
077 String jPassword = credentials[1];
078 boolean encPassword = GetterUtil.getBoolean(credentials[2]);
079
080 if (Validator.isNull(jUsername) || Validator.isNull(jPassword)) {
081 return null;
082 }
083
084 long userId = GetterUtil.getLong(jUsername);
085
086 if (userId <= 0) {
087 return null;
088 }
089
090 User user = UserLocalServiceUtil.fetchUserById(userId);
091
092 if ((user == null) || user.isLockout()) {
093 return null;
094 }
095
096 if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
097 AuthenticatedSessionManagerUtil.signOutSimultaneousLogins(userId);
098 }
099
100 if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
101 session = AuthenticatedSessionManagerUtil.renewSession(
102 request, session);
103 }
104
105 session.setAttribute("j_username", jUsername);
106
107
108
109
110 if (encPassword) {
111 session.setAttribute("j_password", jPassword);
112 }
113 else {
114 session.setAttribute(
115 "j_password",
116 PasswordEncryptorUtil.encrypt(jPassword, user.getPassword()));
117
118 if (PropsValues.SESSION_STORE_PASSWORD) {
119 session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
120 }
121 }
122
123 session.setAttribute("j_remoteuser", jUsername);
124
125 if (PropsValues.PORTAL_JAAS_ENABLE) {
126 String redirect = PortalUtil.getPathMain().concat(
127 "/portal/protected");
128
129 if (PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
130 String autoLoginRedirect = (String)request.getAttribute(
131 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
132
133 redirect = redirect.concat("?redirect=");
134
135 if (Validator.isNotNull(autoLoginRedirect)) {
136 redirect = redirect.concat(autoLoginRedirect);
137 }
138 else {
139 redirect = redirect.concat(
140 PortalUtil.getCurrentCompleteURL(request));
141 }
142 }
143
144 response.sendRedirect(redirect);
145 }
146
147 return jUsername;
148 }
149
150 @Override
151 protected void processFilter(
152 HttpServletRequest request, HttpServletResponse response,
153 FilterChain filterChain)
154 throws Exception {
155
156 HttpSession session = request.getSession();
157
158 String host = PortalUtil.getHost(request);
159
160 if (PortalInstances.isAutoLoginIgnoreHost(host)) {
161 if (_log.isDebugEnabled()) {
162 _log.debug("Ignore host " + host);
163 }
164
165 processFilter(
166 AutoLoginFilter.class.getName(), request, response,
167 filterChain);
168
169 return;
170 }
171
172 String contextPath = PortalUtil.getPathContext();
173
174 String path = StringUtil.toLowerCase(request.getRequestURI());
175
176 if (!contextPath.equals(StringPool.SLASH) &&
177 path.contains(contextPath)) {
178
179 path = path.substring(contextPath.length());
180 }
181
182 if (PortalInstances.isAutoLoginIgnorePath(path)) {
183 if (_log.isDebugEnabled()) {
184 _log.debug("Ignore path " + path);
185 }
186
187 processFilter(
188 AutoLoginFilter.class.getName(), request, response,
189 filterChain);
190
191 return;
192 }
193
194 String remoteUser = request.getRemoteUser();
195 String jUserName = (String)session.getAttribute("j_username");
196
197
198
199
200
201
202
203 if (!PropsValues.AUTH_LOGIN_DISABLED &&
204 (remoteUser == null) && (jUserName == null)) {
205
206 for (AutoLogin autoLogin : _autoLogins) {
207 try {
208 String[] credentials = autoLogin.login(request, response);
209
210 String redirect = (String)request.getAttribute(
211 AutoLogin.AUTO_LOGIN_REDIRECT);
212
213 if (Validator.isNotNull(redirect)) {
214 response.sendRedirect(redirect);
215
216 return;
217 }
218
219 String loginRemoteUser = getLoginRemoteUser(
220 request, response, session, credentials);
221
222 if (loginRemoteUser != null) {
223 request = new ProtectedServletRequest(
224 request, loginRemoteUser);
225
226 if (PropsValues.PORTAL_JAAS_ENABLE) {
227 return;
228 }
229
230 if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
231 redirect = Portal.PATH_MAIN;
232 }
233 else {
234 redirect = (String)request.getAttribute(
235 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
236 }
237
238 if (Validator.isNotNull(redirect)) {
239 response.sendRedirect(redirect);
240
241 return;
242 }
243 }
244 }
245 catch (Exception e) {
246 StringBundler sb = new StringBundler(6);
247
248 sb.append("Current URL ");
249
250 String currentURL = PortalUtil.getCurrentURL(request);
251
252 sb.append(currentURL);
253
254 sb.append(" generates exception: ");
255 sb.append(e.getMessage());
256
257 if (_log.isInfoEnabled()) {
258 sb.append(" stack: ");
259 sb.append(StackTraceUtil.getStackTrace(e));
260 }
261
262 if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
263 if (_log.isWarnEnabled()) {
264 _log.warn(sb.toString());
265 }
266 }
267 else {
268 _log.error(sb.toString());
269 }
270 }
271 }
272 }
273
274 processFilter(
275 AutoLoginFilter.class.getName(), request, response, filterChain);
276 }
277
278 private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
279
280 private static final Log _log = LogFactoryUtil.getLog(
281 AutoLoginFilter.class);
282
283 private static final List<AutoLogin> _autoLogins =
284 new CopyOnWriteArrayList<>();
285
286 private final ServiceTracker<?, AutoLogin> _serviceTracker;
287
288 private class AutoLoginServiceTrackerCustomizer
289 implements ServiceTrackerCustomizer<AutoLogin, AutoLogin> {
290
291 @Override
292 public AutoLogin addingService(
293 ServiceReference<AutoLogin> serviceReference) {
294
295 Registry registry = RegistryUtil.getRegistry();
296
297 AutoLogin autoLogin = registry.getService(serviceReference);
298
299 if (autoLogin == null) {
300 return null;
301 }
302
303 _autoLogins.add(autoLogin);
304
305 return autoLogin;
306 }
307
308 @Override
309 public void modifiedService(
310 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
311 }
312
313 @Override
314 public void removedService(
315 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
316
317 Registry registry = RegistryUtil.getRegistry();
318
319 registry.ungetService(serviceReference);
320
321 _autoLogins.remove(autoLogin);
322 }
323
324 }
325
326 }