001
014
015 package com.liferay.portal.security.auth.session;
016
017 import com.liferay.portal.events.EventsProcessorUtil;
018 import com.liferay.portal.kernel.cluster.ClusterExecutorUtil;
019 import com.liferay.portal.kernel.cluster.ClusterNode;
020 import com.liferay.portal.kernel.exception.PortalException;
021 import com.liferay.portal.kernel.json.JSONFactoryUtil;
022 import com.liferay.portal.kernel.json.JSONObject;
023 import com.liferay.portal.kernel.messaging.DestinationNames;
024 import com.liferay.portal.kernel.messaging.MessageBusUtil;
025 import com.liferay.portal.kernel.security.auth.AuthException;
026 import com.liferay.portal.kernel.security.auth.AuthenticatedUserUUIDStoreUtil;
027 import com.liferay.portal.kernel.security.auth.Authenticator;
028 import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManager;
029 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
030 import com.liferay.portal.kernel.util.CookieKeys;
031 import com.liferay.portal.kernel.util.GetterUtil;
032 import com.liferay.portal.kernel.util.Http;
033 import com.liferay.portal.kernel.util.MapUtil;
034 import com.liferay.portal.kernel.util.PropsKeys;
035 import com.liferay.portal.kernel.util.StringPool;
036 import com.liferay.portal.kernel.util.StringUtil;
037 import com.liferay.portal.kernel.util.Validator;
038 import com.liferay.portal.kernel.util.WebKeys;
039 import com.liferay.portal.liveusers.LiveUsers;
040 import com.liferay.portal.model.Company;
041 import com.liferay.portal.model.CompanyConstants;
042 import com.liferay.portal.model.User;
043 import com.liferay.portal.model.UserTracker;
044 import com.liferay.portal.service.CompanyLocalServiceUtil;
045 import com.liferay.portal.service.UserLocalServiceUtil;
046 import com.liferay.portal.util.PortalUtil;
047 import com.liferay.portal.util.PropsValues;
048 import com.liferay.util.Encryptor;
049
050 import java.util.ArrayList;
051 import java.util.Enumeration;
052 import java.util.HashMap;
053 import java.util.List;
054 import java.util.Map;
055
056 import javax.servlet.http.Cookie;
057 import javax.servlet.http.HttpServletRequest;
058 import javax.servlet.http.HttpServletResponse;
059 import javax.servlet.http.HttpSession;
060
061
064 @DoPrivileged
065 public class AuthenticatedSessionManagerImpl
066 implements AuthenticatedSessionManager {
067
068 @Override
069 public long getAuthenticatedUserId(
070 HttpServletRequest request, String login, String password,
071 String authType)
072 throws PortalException {
073
074 long userId = GetterUtil.getLong(login);
075
076 Company company = PortalUtil.getCompany(request);
077
078 String requestURI = request.getRequestURI();
079
080 String contextPath = PortalUtil.getPathContext();
081
082 if (requestURI.startsWith(contextPath.concat("/api/liferay"))) {
083 throw new AuthException();
084 }
085 else {
086 Map<String, String[]> headerMap = new HashMap<>();
087
088 Enumeration<String> enu1 = request.getHeaderNames();
089
090 while (enu1.hasMoreElements()) {
091 String name = enu1.nextElement();
092
093 Enumeration<String> enu2 = request.getHeaders(name);
094
095 List<String> headers = new ArrayList<>();
096
097 while (enu2.hasMoreElements()) {
098 String value = enu2.nextElement();
099
100 headers.add(value);
101 }
102
103 headerMap.put(
104 name, headers.toArray(new String[headers.size()]));
105 }
106
107 Map<String, String[]> parameterMap = request.getParameterMap();
108 Map<String, Object> resultsMap = new HashMap<>();
109
110 if (Validator.isNull(authType)) {
111 authType = company.getAuthType();
112 }
113
114 int authResult = Authenticator.FAILURE;
115
116 if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
117 authResult = UserLocalServiceUtil.authenticateByEmailAddress(
118 company.getCompanyId(), login, password, headerMap,
119 parameterMap, resultsMap);
120
121 userId = MapUtil.getLong(resultsMap, "userId", userId);
122 }
123 else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
124 authResult = UserLocalServiceUtil.authenticateByScreenName(
125 company.getCompanyId(), login, password, headerMap,
126 parameterMap, resultsMap);
127
128 userId = MapUtil.getLong(resultsMap, "userId", userId);
129 }
130 else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
131 authResult = UserLocalServiceUtil.authenticateByUserId(
132 company.getCompanyId(), userId, password, headerMap,
133 parameterMap, resultsMap);
134 }
135
136 if (authResult != Authenticator.SUCCESS) {
137 User user = UserLocalServiceUtil.fetchUser(userId);
138
139 if (user != null) {
140 UserLocalServiceUtil.checkLockout(user);
141 }
142
143 throw new AuthException();
144 }
145 }
146
147 return userId;
148 }
149
150 @Override
151 public void login(
152 HttpServletRequest request, HttpServletResponse response,
153 String login, String password, boolean rememberMe, String authType)
154 throws Exception {
155
156 CookieKeys.validateSupportCookie(request);
157
158 HttpSession session = request.getSession();
159
160 Company company = PortalUtil.getCompany(request);
161
162 long userId = getAuthenticatedUserId(
163 request, login, password, authType);
164
165 if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
166 signOutSimultaneousLogins(userId);
167 }
168
169 if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
170 session = renewSession(request, session);
171 }
172
173
174
175 String domain = CookieKeys.getDomain(request);
176
177 User user = UserLocalServiceUtil.getUserById(userId);
178
179 String userIdString = String.valueOf(userId);
180
181 session.setAttribute("j_username", userIdString);
182
183 if (PropsValues.PORTAL_JAAS_PLAIN_PASSWORD) {
184 session.setAttribute("j_password", password);
185 }
186 else {
187 session.setAttribute("j_password", user.getPassword());
188 }
189
190 session.setAttribute("j_remoteuser", userIdString);
191
192 if (PropsValues.SESSION_STORE_PASSWORD) {
193 session.setAttribute(WebKeys.USER_PASSWORD, password);
194 }
195
196 Cookie companyIdCookie = new Cookie(
197 CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
198
199 if (Validator.isNotNull(domain)) {
200 companyIdCookie.setDomain(domain);
201 }
202
203 companyIdCookie.setPath(StringPool.SLASH);
204
205 Cookie idCookie = new Cookie(
206 CookieKeys.ID,
207 Encryptor.encrypt(company.getKeyObj(), userIdString));
208
209 if (Validator.isNotNull(domain)) {
210 idCookie.setDomain(domain);
211 }
212
213 idCookie.setPath(StringPool.SLASH);
214
215 Cookie passwordCookie = new Cookie(
216 CookieKeys.PASSWORD,
217 Encryptor.encrypt(company.getKeyObj(), password));
218
219 if (Validator.isNotNull(domain)) {
220 passwordCookie.setDomain(domain);
221 }
222
223 passwordCookie.setPath(StringPool.SLASH);
224
225 Cookie rememberMeCookie = new Cookie(
226 CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
227
228 if (Validator.isNotNull(domain)) {
229 rememberMeCookie.setDomain(domain);
230 }
231
232 rememberMeCookie.setPath(StringPool.SLASH);
233
234 int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
235
236 String userUUID = userIdString.concat(StringPool.PERIOD).concat(
237 String.valueOf(System.nanoTime()));
238
239 Cookie userUUIDCookie = new Cookie(
240 CookieKeys.USER_UUID,
241 Encryptor.encrypt(company.getKeyObj(), userUUID));
242
243 userUUIDCookie.setPath(StringPool.SLASH);
244
245 session.setAttribute(WebKeys.USER_UUID, userUUID);
246
247 if (PropsValues.SESSION_DISABLED) {
248 rememberMe = true;
249 }
250
251 if (rememberMe) {
252 companyIdCookie.setMaxAge(loginMaxAge);
253 idCookie.setMaxAge(loginMaxAge);
254 passwordCookie.setMaxAge(loginMaxAge);
255 rememberMeCookie.setMaxAge(loginMaxAge);
256 userUUIDCookie.setMaxAge(loginMaxAge);
257 }
258 else {
259
260
261
262
263
264
265
266 companyIdCookie.setMaxAge(-1);
267 idCookie.setMaxAge(-1);
268 passwordCookie.setMaxAge(-1);
269 rememberMeCookie.setMaxAge(0);
270 userUUIDCookie.setMaxAge(-1);
271 }
272
273 Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
274
275 if (Validator.isNotNull(domain)) {
276 loginCookie.setDomain(domain);
277 }
278
279 loginCookie.setMaxAge(loginMaxAge);
280 loginCookie.setPath(StringPool.SLASH);
281
282 Cookie screenNameCookie = new Cookie(
283 CookieKeys.SCREEN_NAME,
284 Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
285
286 if (Validator.isNotNull(domain)) {
287 screenNameCookie.setDomain(domain);
288 }
289
290 screenNameCookie.setMaxAge(loginMaxAge);
291 screenNameCookie.setPath(StringPool.SLASH);
292
293 boolean secure = request.isSecure();
294
295 if (secure && !PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS &&
296 !StringUtil.equalsIgnoreCase(
297 Http.HTTPS, PropsValues.WEB_SERVER_PROTOCOL)) {
298
299 Boolean httpsInitial = (Boolean)session.getAttribute(
300 WebKeys.HTTPS_INITIAL);
301
302 if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
303 secure = false;
304 }
305 }
306
307 CookieKeys.addCookie(request, response, companyIdCookie, secure);
308 CookieKeys.addCookie(request, response, idCookie, secure);
309 CookieKeys.addCookie(request, response, userUUIDCookie, secure);
310
311 if (rememberMe) {
312 CookieKeys.addCookie(request, response, loginCookie, secure);
313 CookieKeys.addCookie(request, response, passwordCookie, secure);
314 CookieKeys.addCookie(request, response, rememberMeCookie, secure);
315 CookieKeys.addCookie(request, response, screenNameCookie, secure);
316 }
317
318 AuthenticatedUserUUIDStoreUtil.register(userUUID);
319 }
320
321 @Override
322 public void logout(HttpServletRequest request, HttpServletResponse response)
323 throws Exception {
324
325 HttpSession session = request.getSession();
326
327 EventsProcessorUtil.process(
328 PropsKeys.LOGOUT_EVENTS_PRE, PropsValues.LOGOUT_EVENTS_PRE, request,
329 response);
330
331 String domain = CookieKeys.getDomain(request);
332
333 deleteCookie(request, response, CookieKeys.COMPANY_ID, domain);
334 deleteCookie(request, response, CookieKeys.GUEST_LANGUAGE_ID, domain);
335 deleteCookie(request, response, CookieKeys.ID, domain);
336 deleteCookie(request, response, CookieKeys.PASSWORD, domain);
337
338 boolean rememberMe = GetterUtil.getBoolean(
339 CookieKeys.getCookie(request, CookieKeys.REMEMBER_ME));
340
341 if (!rememberMe) {
342 deleteCookie(request, response, CookieKeys.LOGIN, domain);
343 }
344
345 deleteCookie(request, response, CookieKeys.REMEMBER_ME, domain);
346
347 try {
348 session.invalidate();
349 }
350 catch (Exception e) {
351 }
352
353 EventsProcessorUtil.process(
354 PropsKeys.LOGOUT_EVENTS_POST, PropsValues.LOGOUT_EVENTS_POST,
355 request, response);
356 }
357
358 @Override
359 public HttpSession renewSession(
360 HttpServletRequest request, HttpSession session)
361 throws Exception {
362
363
364
365 String[] protectedAttributeNames =
366 PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
367
368 Map<String, Object> protectedAttributes = new HashMap<>();
369
370 for (String protectedAttributeName : protectedAttributeNames) {
371 Object protectedAttributeValue = session.getAttribute(
372 protectedAttributeName);
373
374 if (protectedAttributeValue == null) {
375 continue;
376 }
377
378 protectedAttributes.put(
379 protectedAttributeName, protectedAttributeValue);
380 }
381
382 session.invalidate();
383
384 session = request.getSession(true);
385
386 for (String protectedAttributeName : protectedAttributeNames) {
387 Object protectedAttributeValue = protectedAttributes.get(
388 protectedAttributeName);
389
390 if (protectedAttributeValue == null) {
391 continue;
392 }
393
394 session.setAttribute(
395 protectedAttributeName, protectedAttributeValue);
396 }
397
398 return session;
399 }
400
401 @Override
402 public void signOutSimultaneousLogins(long userId) throws Exception {
403 long companyId = CompanyLocalServiceUtil.getCompanyIdByUserId(userId);
404
405 Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(
406 companyId);
407
408 List<UserTracker> userTrackers = new ArrayList<>(sessionUsers.values());
409
410 for (UserTracker userTracker : userTrackers) {
411 if (userId != userTracker.getUserId()) {
412 continue;
413 }
414
415 JSONObject jsonObject = JSONFactoryUtil.createJSONObject();
416
417 ClusterNode clusterNode = ClusterExecutorUtil.getLocalClusterNode();
418
419 if (clusterNode != null) {
420 jsonObject.put("clusterNodeId", clusterNode.getClusterNodeId());
421 }
422
423 jsonObject.put("command", "signOut");
424 jsonObject.put("companyId", companyId);
425 jsonObject.put("sessionId", userTracker.getSessionId());
426 jsonObject.put("userId", userId);
427
428 MessageBusUtil.sendMessage(
429 DestinationNames.LIVE_USERS, jsonObject.toString());
430 }
431 }
432
433 protected void deleteCookie(
434 HttpServletRequest request, HttpServletResponse response,
435 String cookieName, String domain) {
436
437 Cookie cookie = new Cookie(cookieName, StringPool.BLANK);
438
439 if (Validator.isNotNull(domain)) {
440 cookie.setDomain(domain);
441 }
442
443 cookie.setMaxAge(0);
444 cookie.setPath(StringPool.SLASH);
445
446 CookieKeys.addCookie(request, response, cookie);
447 }
448
449 }