001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.log.Log;
019 import com.liferay.portal.kernel.log.LogFactoryUtil;
020 import com.liferay.portal.kernel.model.Layout;
021 import com.liferay.portal.kernel.model.LayoutTypePortlet;
022 import com.liferay.portal.kernel.model.Portlet;
023 import com.liferay.portal.kernel.portlet.LiferayPortletURL;
024 import com.liferay.portal.kernel.security.auth.AuthToken;
025 import com.liferay.portal.kernel.security.auth.AuthTokenWhitelistUtil;
026 import com.liferay.portal.kernel.security.auth.PrincipalException;
027 import com.liferay.portal.kernel.service.LayoutLocalServiceUtil;
028 import com.liferay.portal.kernel.service.PortletLocalServiceUtil;
029 import com.liferay.portal.kernel.service.permission.PortletPermissionUtil;
030 import com.liferay.portal.kernel.util.GetterUtil;
031 import com.liferay.portal.kernel.util.ParamUtil;
032 import com.liferay.portal.kernel.util.PortalUtil;
033 import com.liferay.portal.kernel.util.PwdGenerator;
034 import com.liferay.portal.kernel.util.ReflectionUtil;
035 import com.liferay.portal.kernel.util.Validator;
036 import com.liferay.portal.kernel.util.WebKeys;
037 import com.liferay.portal.util.PropsValues;
038 import com.liferay.portlet.SecurityPortletContainerWrapper;
039
040 import javax.portlet.PortletRequest;
041
042 import javax.servlet.http.HttpServletRequest;
043 import javax.servlet.http.HttpServletRequestWrapper;
044 import javax.servlet.http.HttpSession;
045
046
049 public class SessionAuthToken implements AuthToken {
050
051 @Override
052 public void addCSRFToken(
053 HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
054
055 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
056 return;
057 }
058
059 String lifecycle = liferayPortletURL.getLifecycle();
060
061 if (!lifecycle.equals(PortletRequest.ACTION_PHASE)) {
062 return;
063 }
064
065 if (AuthTokenWhitelistUtil.isPortletURLCSRFWhitelisted(
066 liferayPortletURL)) {
067
068 return;
069 }
070
071 liferayPortletURL.setParameter("p_auth", getToken(request));
072 }
073
074 @Override
075 public void addPortletInvocationToken(
076 HttpServletRequest request, LiferayPortletURL liferayPortletURL) {
077
078 if (!PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
079 return;
080 }
081
082 long companyId = PortalUtil.getCompanyId(request);
083
084 String portletId = liferayPortletURL.getPortletId();
085
086 Portlet portlet = PortletLocalServiceUtil.getPortletById(
087 companyId, portletId);
088
089 if (portlet == null) {
090 return;
091 }
092
093 if (!portlet.isAddDefaultResource()) {
094 return;
095 }
096
097 if (AuthTokenWhitelistUtil.isPortletURLPortletInvocationWhitelisted(
098 liferayPortletURL)) {
099
100 return;
101 }
102
103 long plid = liferayPortletURL.getPlid();
104
105 try {
106 Layout layout = LayoutLocalServiceUtil.getLayout(plid);
107
108 LayoutTypePortlet layoutTypePortlet =
109 (LayoutTypePortlet)layout.getLayoutType();
110
111 if (layoutTypePortlet.hasPortletId(portletId)) {
112 return;
113 }
114 }
115 catch (Exception e) {
116 if (_log.isDebugEnabled()) {
117 _log.debug(e.getMessage(), e);
118 }
119 }
120
121 liferayPortletURL.setParameter(
122 "p_p_auth", getToken(request, plid, portletId));
123 }
124
125
128 @Deprecated
129 @Override
130 public void check(HttpServletRequest request) throws PrincipalException {
131 checkCSRFToken(
132 request, SecurityPortletContainerWrapper.class.getName());
133 }
134
135 @Override
136 public void checkCSRFToken(HttpServletRequest request, String origin)
137 throws PrincipalException {
138
139 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
140 return;
141 }
142
143 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
144
145 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
146 return;
147 }
148
149 long companyId = PortalUtil.getCompanyId(request);
150
151 if (AuthTokenWhitelistUtil.isOriginCSRFWhitelisted(companyId, origin)) {
152 return;
153 }
154
155 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
156 String ppid = ParamUtil.getString(request, "p_p_id");
157
158 Portlet portlet = PortletLocalServiceUtil.getPortletById(
159 companyId, ppid);
160
161 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
162 request, portlet)) {
163
164 return;
165 }
166 }
167
168 String csrfToken = ParamUtil.getString(request, "p_auth");
169
170 if (Validator.isNull(csrfToken)) {
171 csrfToken = GetterUtil.getString(request.getHeader("X-CSRF-Token"));
172 }
173
174 String sessionToken = getSessionAuthenticationToken(
175 request, _CSRF, false);
176
177 if (!csrfToken.equals(sessionToken)) {
178 throw new PrincipalException.MustBeAuthenticated(
179 PortalUtil.getUserId(request));
180 }
181 }
182
183 @Override
184 public String getToken(HttpServletRequest request) {
185 return getSessionAuthenticationToken(request, _CSRF, true);
186 }
187
188 @Override
189 public String getToken(
190 HttpServletRequest request, long plid, String portletId) {
191
192 return getSessionAuthenticationToken(
193 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
194 true);
195 }
196
197 @Override
198 public boolean isValidPortletInvocationToken(
199 HttpServletRequest request, Layout layout, Portlet portlet) {
200
201 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
202 request, portlet)) {
203
204 return true;
205 }
206
207 long plid = layout.getPlid();
208
209 String portletId = portlet.getPortletId();
210
211 String portletToken = ParamUtil.getString(request, "p_p_auth");
212
213 if (Validator.isNull(portletToken)) {
214 HttpServletRequest originalRequest =
215 PortalUtil.getOriginalServletRequest(request);
216
217 portletToken = ParamUtil.getString(originalRequest, "p_p_auth");
218 }
219
220 if (Validator.isNotNull(portletToken)) {
221 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
222
223 String sessionToken = getSessionAuthenticationToken(
224 request, key, false);
225
226 if (Validator.isNotNull(sessionToken) &&
227 sessionToken.equals(portletToken)) {
228
229 return true;
230 }
231 }
232
233 return false;
234 }
235
236 @Deprecated
237 @Override
238 public boolean isValidPortletInvocationToken(
239 HttpServletRequest request, long plid, String portletId,
240 String strutsAction, String tokenValue) {
241
242 try {
243 Layout layout = LayoutLocalServiceUtil.getLayout(plid);
244 Portlet portlet = PortletLocalServiceUtil.getPortletById(portletId);
245
246 return isValidPortletInvocationToken(request, layout, portlet);
247 }
248 catch (PortalException pe) {
249 ReflectionUtil.throwException(pe);
250 }
251
252 return false;
253 }
254
255 protected String getSessionAuthenticationToken(
256 HttpServletRequest request, String key, boolean createToken) {
257
258 String sessionAuthenticationToken = null;
259
260 HttpServletRequest currentRequest = request;
261 HttpSession session = null;
262 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
263
264 while (currentRequest instanceof HttpServletRequestWrapper) {
265 HttpServletRequestWrapper httpServletRequestWrapper =
266 (HttpServletRequestWrapper)currentRequest;
267
268 session = currentRequest.getSession();
269
270 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
271
272 if (Validator.isNotNull(sessionAuthenticationToken)) {
273 break;
274 }
275
276 currentRequest =
277 (HttpServletRequest)httpServletRequestWrapper.getRequest();
278 }
279
280 if (session == null) {
281 session = currentRequest.getSession();
282
283 sessionAuthenticationToken = (String)session.getAttribute(tokenKey);
284 }
285
286 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
287 sessionAuthenticationToken = PwdGenerator.getPassword(
288 PropsValues.AUTH_TOKEN_LENGTH);
289
290 session.setAttribute(tokenKey, sessionAuthenticationToken);
291 }
292
293 return sessionAuthenticationToken;
294 }
295
296 private static final String _CSRF = "#CSRF";
297
298 private static final Log _log = LogFactoryUtil.getLog(
299 SessionAuthToken.class);
300
301 }