001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.portlet.LiferayPortletURL;
021    import com.liferay.portal.kernel.security.auth.AuthToken;
022    import com.liferay.portal.kernel.security.auth.AuthTokenWhitelistUtil;
023    import com.liferay.portal.kernel.security.auth.PrincipalException;
024    import com.liferay.portal.kernel.util.GetterUtil;
025    import com.liferay.portal.kernel.util.ParamUtil;
026    import com.liferay.portal.kernel.util.PwdGenerator;
027    import com.liferay.portal.kernel.util.ReflectionUtil;
028    import com.liferay.portal.kernel.util.Validator;
029    import com.liferay.portal.kernel.util.WebKeys;
030    import com.liferay.portal.model.Layout;
031    import com.liferay.portal.model.LayoutTypePortlet;
032    import com.liferay.portal.model.Portlet;
033    import com.liferay.portal.service.LayoutLocalServiceUtil;
034    import com.liferay.portal.service.PortletLocalServiceUtil;
035    import com.liferay.portal.service.permission.PortletPermissionUtil;
036    import com.liferay.portal.util.PortalUtil;
037    import com.liferay.portal.util.PropsValues;
038    import com.liferay.portlet.SecurityPortletContainerWrapper;
039    
040    import javax.portlet.PortletRequest;
041    
042    import javax.servlet.http.HttpServletRequest;
043    import javax.servlet.http.HttpServletRequestWrapper;
044    import javax.servlet.http.HttpSession;
045    
046    /**
047     * @author Amos Fong
048     */
049    public class SessionAuthToken implements AuthToken {
050    
051            @Override
052            public void addCSRFToken(
053                    HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
054    
055                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
056                            return;
057                    }
058    
059                    String lifecycle = liferayPortletURL.getLifecycle();
060    
061                    if (!lifecycle.equals(PortletRequest.ACTION_PHASE)) {
062                            return;
063                    }
064    
065                    if (AuthTokenWhitelistUtil.isPortletURLCSRFWhitelisted(
066                                    liferayPortletURL)) {
067    
068                            return;
069                    }
070    
071                    liferayPortletURL.setParameter("p_auth", getToken(request));
072            }
073    
074            @Override
075            public void addPortletInvocationToken(
076                    HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
077    
078                    if (!PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
079                            return;
080                    }
081    
082                    long companyId = PortalUtil.getCompanyId(request);
083    
084                    String portletId = liferayPortletURL.getPortletId();
085    
086                    Portlet portlet = PortletLocalServiceUtil.getPortletById(
087                            companyId, portletId);
088    
089                    if (portlet == null) {
090                            return;
091                    }
092    
093                    if (!portlet.isAddDefaultResource()) {
094                            return;
095                    }
096    
097                    if (AuthTokenWhitelistUtil.isPortletURLPortletInvocationWhitelisted(
098                                    liferayPortletURL)) {
099    
100                            return;
101                    }
102    
103                    long plid = liferayPortletURL.getPlid();
104    
105                    try {
106                            Layout layout = LayoutLocalServiceUtil.getLayout(plid);
107    
108                            LayoutTypePortlet layoutTypePortlet =
109                                    (LayoutTypePortlet)layout.getLayoutType();
110    
111                            if (layoutTypePortlet.hasPortletId(portletId)) {
112                                    return;
113                            }
114                    }
115                    catch (Exception e) {
116                            if (_log.isDebugEnabled()) {
117                                    _log.debug(e.getMessage(), e);
118                            }
119                    }
120    
121                    liferayPortletURL.setParameter(
122                            "p_p_auth", getToken(request, plid, portletId));
123            }
124    
125            /**
126             * @deprecated As of 7.0.0
127             */
128            @Deprecated
129            @Override
130            public void check(HttpServletRequest request) throws PrincipalException {
131                    checkCSRFToken(
132                            request, SecurityPortletContainerWrapper.class.getName());
133            }
134    
135            @Override
136            public void checkCSRFToken(HttpServletRequest request, String origin)
137                    throws PrincipalException {
138    
139                    if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
140                            return;
141                    }
142    
143                    String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
144    
145                    if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
146                            return;
147                    }
148    
149                    long companyId = PortalUtil.getCompanyId(request);
150    
151                    if (AuthTokenWhitelistUtil.isOriginCSRFWhitelisted(companyId, origin)) {
152                            return;
153                    }
154    
155                    if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
156                            String ppid = ParamUtil.getString(request, "p_p_id");
157    
158                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
159                                    companyId, ppid);
160    
161                            if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
162                                            request, portlet)) {
163    
164                                    return;
165                            }
166                    }
167    
168                    String csrfToken = ParamUtil.getString(request, "p_auth");
169    
170                    if (Validator.isNull(csrfToken)) {
171                            csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
172                    }
173    
174                    String sessionToken = getSessionAuthenticationToken(
175                            request, _CSRF, false);
176    
177                    if (!csrfToken.equals(sessionToken)) {
178                            throw new PrincipalException.MustBeAuthenticated(
179                                    PortalUtil.getUserId(request));
180                    }
181            }
182    
183            @Override
184            public String getToken(HttpServletRequest request) {
185                    return getSessionAuthenticationToken(request, _CSRF, true);
186            }
187    
188            @Override
189            public String getToken(
190                    HttpServletRequest request, long plid, String portletId) {
191    
192                    return getSessionAuthenticationToken(
193                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
194                            true);
195            }
196    
197            @Override
198            public boolean isValidPortletInvocationToken(
199                    HttpServletRequest request, Layout layout, Portlet portlet) {
200    
201                    if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
202                                    request, portlet)) {
203    
204                            return true;
205                    }
206    
207                    long plid = layout.getPlid();
208    
209                    String portletId = portlet.getPortletId();
210    
211                    String portletToken = ParamUtil.getString(request, "p_p_auth");
212    
213                    if (Validator.isNull(portletToken)) {
214                            HttpServletRequest originalRequest =
215                                    PortalUtil.getOriginalServletRequest(request);
216    
217                            portletToken = ParamUtil.getString(originalRequest, "p_p_auth");
218                    }
219    
220                    if (Validator.isNotNull(portletToken)) {
221                            String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
222    
223                            String sessionToken = getSessionAuthenticationToken(
224                                    request, key, false);
225    
226                            if (Validator.isNotNull(sessionToken) &&
227                                    sessionToken.equals(portletToken)) {
228    
229                                    return true;
230                            }
231                    }
232    
233                    return false;
234            }
235    
236            @Deprecated
237            @Override
238            public boolean isValidPortletInvocationToken(
239                    HttpServletRequest request, long plid, String portletId,
240                    String strutsAction, String tokenValue) {
241    
242                    try {
243                            Layout layout = LayoutLocalServiceUtil.getLayout(plid);
244                            Portlet portlet = PortletLocalServiceUtil.getPortletById(portletId);
245    
246                            return isValidPortletInvocationToken(request, layout, portlet);
247                    }
248                    catch (PortalException e) {
249                            ReflectionUtil.throwException(e);
250                    }
251    
252                    return false;
253            }
254    
255            protected String getSessionAuthenticationToken(
256                    HttpServletRequest request, String key, boolean createToken) {
257    
258                    String sessionAuthenticationToken = null;
259    
260                    HttpServletRequest currentRequest = request;
261                    HttpSession session = null;
262                    String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
263    
264                    while (currentRequest instanceof HttpServletRequestWrapper) {
265                            HttpServletRequestWrapper httpServletRequestWrapper =
266                                    (HttpServletRequestWrapper)currentRequest;
267    
268                            session = currentRequest.getSession();
269    
270                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
271    
272                            if (Validator.isNotNull(sessionAuthenticationToken)) {
273                                    break;
274                            }
275    
276                            currentRequest =
277                                    (HttpServletRequest)httpServletRequestWrapper.getRequest();
278                    }
279    
280                    if (session == null ) {
281                            session = currentRequest.getSession();
282    
283                            sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
284                    }
285    
286                    if (createToken && Validator.isNull(sessionAuthenticationToken)) {
287                            sessionAuthenticationToken = PwdGenerator.getPassword(
288                                    PropsValues.AUTH_TOKEN_LENGTH);
289    
290                            session.setAttribute(tokenKey, sessionAuthenticationToken);
291                    }
292    
293                    return sessionAuthenticationToken;
294            }
295    
296            private static final String _CSRF = "#CSRF";
297    
298            private static final Log _log = LogFactoryUtil.getLog(
299                    SessionAuthToken.class);
300    
301    }