001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.concurrent.ConcurrentHashSet;
018 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
019 import com.liferay.portal.kernel.security.auth.BaseAuthTokenWhitelist;
020 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
021 import com.liferay.portal.kernel.util.PropsKeys;
022 import com.liferay.portal.kernel.util.Validator;
023 import com.liferay.portal.model.Portlet;
024 import com.liferay.portal.model.PortletConstants;
025 import com.liferay.portal.util.PropsValues;
026 import com.liferay.util.Encryptor;
027
028 import java.util.Set;
029
030 import javax.servlet.http.HttpServletRequest;
031
032
036 @DoPrivileged
037 public class AuthTokenWhitelistImpl extends BaseAuthTokenWhitelist {
038
039 public AuthTokenWhitelistImpl() {
040 trackWhitelistServices(
041 PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS, _originCSRFWhitelist);
042
043 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS);
044
045 trackWhitelistServices(
046 PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS, _portletCSRFWhitelist);
047
048 registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS);
049
050 trackWhitelistServices(
051 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST,
052 _portletInvocationWhitelist);
053
054 registerPortalProperty(
055 PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
056 }
057
058
061 @Deprecated
062 @Override
063 public Set<String> getOriginCSRFWhitelist() {
064 return _originCSRFWhitelist;
065 }
066
067
070 @Deprecated
071 @Override
072 public Set<String> getPortletCSRFWhitelist() {
073 return _portletCSRFWhitelist;
074 }
075
076 @Deprecated
077 @Override
078 public Set<String> getPortletInvocationWhitelist() {
079 return _portletInvocationWhitelist;
080 }
081
082 @Override
083 public boolean isOriginCSRFWhitelisted(long companyId, String origin) {
084 for (String whitelistedOrigin : _originCSRFWhitelist) {
085 if (origin.startsWith(whitelistedOrigin)) {
086 return true;
087 }
088 }
089
090 return false;
091 }
092
093 @Override
094 public boolean isPortletCSRFWhitelisted(
095 HttpServletRequest request, Portlet portlet) {
096
097 return _portletCSRFWhitelist.contains(portlet.getRootPortletId());
098 }
099
100 @Override
101 public boolean isPortletInvocationWhitelisted(
102 HttpServletRequest request, Portlet portlet) {
103
104 return _portletInvocationWhitelist.contains(portlet.getPortletId());
105 }
106
107 @Override
108 public boolean isPortletURLCSRFWhitelisted(
109 LiferayPortletURL liferayPortletURL) {
110
111 String rootPortletId = PortletConstants.getRootPortletId(
112 liferayPortletURL.getPortletId());
113
114 return _portletCSRFWhitelist.contains(rootPortletId);
115 }
116
117 @Override
118 public boolean isPortletURLPortletInvocationWhitelisted(
119 LiferayPortletURL liferayPortletURL) {
120
121 return _portletInvocationWhitelist.contains(
122 liferayPortletURL.getPortletId());
123 }
124
125 @Override
126 public boolean isValidSharedSecret(String sharedSecret) {
127 if (Validator.isNull(sharedSecret)) {
128 return false;
129 }
130
131 if (Validator.isNull(PropsValues.AUTH_TOKEN_SHARED_SECRET)) {
132 return false;
133 }
134
135 return sharedSecret.equals(
136 Encryptor.digest(PropsValues.AUTH_TOKEN_SHARED_SECRET));
137 }
138
139 private final Set<String> _originCSRFWhitelist = new ConcurrentHashSet<>();
140 private final Set<String> _portletCSRFWhitelist = new ConcurrentHashSet<>();
141 private final Set<String> _portletInvocationWhitelist =
142 new ConcurrentHashSet<>();
143
144 }