001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.concurrent.ConcurrentHashSet;
018 import com.liferay.portal.kernel.log.Log;
019 import com.liferay.portal.kernel.log.LogFactoryUtil;
020 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
021 import com.liferay.portal.kernel.security.auth.BaseAuthTokenWhitelist;
022 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
023 import com.liferay.portal.kernel.util.CharPool;
024 import com.liferay.portal.kernel.util.ParamUtil;
025 import com.liferay.portal.kernel.util.PropsKeys;
026 import com.liferay.portal.kernel.util.Validator;
027 import com.liferay.portal.model.Layout;
028 import com.liferay.portal.model.Portlet;
029 import com.liferay.portal.model.PortletConstants;
030 import com.liferay.portal.service.LayoutLocalServiceUtil;
031 import com.liferay.portal.service.PortletLocalServiceUtil;
032 import com.liferay.portal.util.PortalUtil;
033
034 import java.util.Set;
035
036 import javax.servlet.http.HttpServletRequest;
037
038
041 @DoPrivileged
042 public class StrutsPortletAuthTokenWhitelist extends BaseAuthTokenWhitelist {
043
044 public StrutsPortletAuthTokenWhitelist() {
045 trackWhitelistServices(
046 PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS, _portletCSRFWhitelist);
047
048 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS);
049
050 trackWhitelistServices(
051 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS,
052 _portletInvocationWhitelist);
053
054 registerPortalProperty(
055 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
056 }
057
058 @Deprecated
059 @Override
060 public Set<String> getPortletCSRFWhitelistActions() {
061 return _portletCSRFWhitelist;
062 }
063
064 @Deprecated
065 @Override
066 public Set<String> getPortletInvocationWhitelistActions() {
067 return _portletInvocationWhitelist;
068 }
069
070 @Override
071 public boolean isPortletCSRFWhitelisted(
072 HttpServletRequest request, Portlet portlet) {
073
074 String portletId = portlet.getPortletId();
075
076 String namespace = PortalUtil.getPortletNamespace(portletId);
077
078 String strutsAction = ParamUtil.getString(
079 request, namespace + "struts_action");
080
081 String rootPortletId = PortletConstants.getRootPortletId(portletId);
082
083 if (Validator.isNotNull(strutsAction)) {
084 if (_portletCSRFWhitelist.contains(strutsAction) &&
085 isValidStrutsAction(
086 portlet.getCompanyId(), rootPortletId, strutsAction)) {
087
088 return true;
089 }
090 }
091
092 return false;
093 }
094
095 @Override
096 public boolean isPortletInvocationWhitelisted(
097 HttpServletRequest request, Portlet portlet) {
098
099 String portletId = portlet.getPortletId();
100
101 String namespace = PortalUtil.getPortletNamespace(portletId);
102
103 String strutsAction = ParamUtil.getString(
104 request, namespace + "struts_action");
105
106 if (Validator.isNull(strutsAction)) {
107 strutsAction = ParamUtil.getString(request, "struts_action");
108 }
109
110 if (Validator.isNotNull(strutsAction)) {
111 if (_portletInvocationWhitelist.contains(strutsAction) &&
112 isValidStrutsAction(
113 portlet.getCompanyId(), portletId, strutsAction)) {
114
115 return true;
116 }
117 }
118
119 return false;
120 }
121
122 @Override
123 public boolean isPortletURLCSRFWhitelisted(
124 LiferayPortletURL liferayPortletURL) {
125
126 String strutsAction = liferayPortletURL.getParameter("struts_action");
127
128 if (Validator.isBlank(strutsAction)) {
129 return false;
130 }
131
132 if (_portletCSRFWhitelist.contains(strutsAction)) {
133 long companyId = 0;
134
135 long plid = liferayPortletURL.getPlid();
136
137 Layout layout = LayoutLocalServiceUtil.fetchLayout(plid);
138
139 if (layout == null) {
140 if (_log.isDebugEnabled()) {
141 _log.debug("Unable to load layout " + plid);
142 }
143
144 return false;
145 }
146
147 String portletId = liferayPortletURL.getPortletId();
148
149 String rootPortletId = PortletConstants.getRootPortletId(portletId);
150
151 if (isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
152 return true;
153 }
154 }
155
156 return false;
157 }
158
159 @Override
160 public boolean isPortletURLPortletInvocationWhitelisted(
161 LiferayPortletURL liferayPortletURL) {
162
163 String strutsAction = liferayPortletURL.getParameter("struts_action");
164
165 if (Validator.isBlank(strutsAction)) {
166 return false;
167 }
168
169 if (_portletInvocationWhitelist.contains(strutsAction)) {
170 long companyId = 0;
171
172 long plid = liferayPortletURL.getPlid();
173
174 Layout layout = LayoutLocalServiceUtil.fetchLayout(plid);
175
176 if (layout == null) {
177 if (_log.isDebugEnabled()) {
178 _log.debug("Unable to load layout " + plid);
179 }
180
181 return false;
182 }
183
184 String portletId = liferayPortletURL.getPortletId();
185
186 if (isValidStrutsAction(companyId, portletId, strutsAction)) {
187 return true;
188 }
189 }
190
191 return false;
192 }
193
194 protected boolean isValidStrutsAction(
195 long companyId, String portletId, String strutsAction) {
196
197 try {
198 Portlet portlet = PortletLocalServiceUtil.getPortletById(
199 companyId, portletId);
200
201 if (portlet == null) {
202 return false;
203 }
204
205 String strutsPath = strutsAction.substring(
206 1, strutsAction.lastIndexOf(CharPool.SLASH));
207
208 if (strutsPath.equals(portlet.getStrutsPath()) ||
209 strutsPath.equals(portlet.getParentStrutsPath())) {
210
211 return true;
212 }
213 }
214 catch (Exception e) {
215 if (_log.isDebugEnabled()) {
216 _log.debug(e, e);
217 }
218 }
219
220 return false;
221 }
222
223 private static final Log _log = LogFactoryUtil.getLog(
224 StrutsPortletAuthTokenWhitelist.class);
225
226 private final Set<String> _portletCSRFWhitelist = new ConcurrentHashSet<>();
227 private final Set<String> _portletInvocationWhitelist =
228 new ConcurrentHashSet<>();
229
230 }