001
014
015 package com.liferay.portal.servlet.filters.autologin;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.model.User;
020 import com.liferay.portal.kernel.security.auth.session.AuthenticatedSessionManagerUtil;
021 import com.liferay.portal.kernel.security.auto.login.AutoLogin;
022 import com.liferay.portal.kernel.security.pwd.PasswordEncryptorUtil;
023 import com.liferay.portal.kernel.service.UserLocalServiceUtil;
024 import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
025 import com.liferay.portal.kernel.util.GetterUtil;
026 import com.liferay.portal.kernel.util.Portal;
027 import com.liferay.portal.kernel.util.PortalUtil;
028 import com.liferay.portal.kernel.util.StackTraceUtil;
029 import com.liferay.portal.kernel.util.StringBundler;
030 import com.liferay.portal.kernel.util.StringPool;
031 import com.liferay.portal.kernel.util.StringUtil;
032 import com.liferay.portal.kernel.util.Validator;
033 import com.liferay.portal.kernel.util.WebKeys;
034 import com.liferay.portal.servlet.filters.BasePortalFilter;
035 import com.liferay.portal.util.PortalInstances;
036 import com.liferay.portal.util.PropsValues;
037 import com.liferay.registry.Registry;
038 import com.liferay.registry.RegistryUtil;
039 import com.liferay.registry.ServiceReference;
040 import com.liferay.registry.ServiceTracker;
041 import com.liferay.registry.ServiceTrackerCustomizer;
042
043 import java.util.List;
044 import java.util.concurrent.CopyOnWriteArrayList;
045
046 import javax.servlet.FilterChain;
047 import javax.servlet.http.HttpServletRequest;
048 import javax.servlet.http.HttpServletResponse;
049 import javax.servlet.http.HttpSession;
050
051
056 public class AutoLoginFilter extends BasePortalFilter {
057
058 public AutoLoginFilter() {
059 Registry registry = RegistryUtil.getRegistry();
060
061 _serviceTracker = registry.trackServices(
062 AutoLogin.class, new AutoLoginServiceTrackerCustomizer());
063
064 _serviceTracker.open();
065 }
066
067 protected String getLoginRemoteUser(
068 HttpServletRequest request, HttpServletResponse response,
069 HttpSession session, String[] credentials)
070 throws Exception {
071
072 if ((credentials == null) || (credentials.length != 3)) {
073 return null;
074 }
075
076 String jUsername = credentials[0];
077 String jPassword = credentials[1];
078 boolean encPassword = GetterUtil.getBoolean(credentials[2]);
079
080 if (Validator.isNull(jUsername) || Validator.isNull(jPassword)) {
081 return null;
082 }
083
084 long userId = GetterUtil.getLong(jUsername);
085
086 if (userId <= 0) {
087 return null;
088 }
089
090 User user = UserLocalServiceUtil.fetchUserById(userId);
091
092 if ((user == null) || user.isLockout()) {
093 return null;
094 }
095
096 if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
097 AuthenticatedSessionManagerUtil.signOutSimultaneousLogins(userId);
098 }
099
100 if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
101 session = AuthenticatedSessionManagerUtil.renewSession(
102 request, session);
103 }
104
105 session.setAttribute("j_username", jUsername);
106
107
108
109
110 if (encPassword) {
111 session.setAttribute("j_password", jPassword);
112 }
113 else {
114 session.setAttribute(
115 "j_password",
116 PasswordEncryptorUtil.encrypt(jPassword, user.getPassword()));
117
118 if (PropsValues.SESSION_STORE_PASSWORD) {
119 session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
120 }
121 }
122
123 session.setAttribute("j_remoteuser", jUsername);
124
125 if (PropsValues.PORTAL_JAAS_ENABLE) {
126 String redirect = PortalUtil.getPathMain().concat(
127 "/portal/protected");
128
129 if (PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
130 String autoLoginRedirect = (String)request.getAttribute(
131 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
132
133 redirect = redirect.concat("?redirect=");
134
135 if (Validator.isNotNull(autoLoginRedirect)) {
136 redirect = redirect.concat(autoLoginRedirect);
137 }
138 else {
139 redirect = redirect.concat(
140 PortalUtil.getCurrentCompleteURL(request));
141 }
142 }
143
144 response.sendRedirect(redirect);
145 }
146
147 return jUsername;
148 }
149
150 @Override
151 protected void processFilter(
152 HttpServletRequest request, HttpServletResponse response,
153 FilterChain filterChain)
154 throws Exception {
155
156 HttpSession session = request.getSession();
157
158 String host = PortalUtil.getHost(request);
159
160 if (PortalInstances.isAutoLoginIgnoreHost(host)) {
161 if (_log.isDebugEnabled()) {
162 _log.debug("Ignore host " + host);
163 }
164
165 processFilter(
166 AutoLoginFilter.class.getName(), request, response,
167 filterChain);
168
169 return;
170 }
171
172 String contextPath = PortalUtil.getPathContext();
173
174 String path = StringUtil.toLowerCase(request.getRequestURI());
175
176 if (!contextPath.equals(StringPool.SLASH) &&
177 path.contains(contextPath)) {
178
179 path = path.substring(contextPath.length());
180 }
181
182 if (PortalInstances.isAutoLoginIgnorePath(path)) {
183 if (_log.isDebugEnabled()) {
184 _log.debug("Ignore path " + path);
185 }
186
187 processFilter(
188 AutoLoginFilter.class.getName(), request, response,
189 filterChain);
190
191 return;
192 }
193
194 String remoteUser = request.getRemoteUser();
195 String jUserName = (String)session.getAttribute("j_username");
196
197 if (!PropsValues.AUTH_LOGIN_DISABLED &&
198 (remoteUser == null) && (jUserName == null)) {
199
200 for (AutoLogin autoLogin : _autoLogins) {
201 try {
202 String[] credentials = autoLogin.login(request, response);
203
204 String redirect = (String)request.getAttribute(
205 AutoLogin.AUTO_LOGIN_REDIRECT);
206
207 if (Validator.isNotNull(redirect)) {
208 response.sendRedirect(redirect);
209
210 return;
211 }
212
213 String loginRemoteUser = getLoginRemoteUser(
214 request, response, session, credentials);
215
216 if (loginRemoteUser != null) {
217 request = new ProtectedServletRequest(
218 request, loginRemoteUser);
219
220 if (PropsValues.PORTAL_JAAS_ENABLE) {
221 return;
222 }
223
224 if (!PropsValues.AUTH_FORWARD_BY_LAST_PATH) {
225 redirect = Portal.PATH_MAIN;
226 }
227 else {
228 redirect = (String)request.getAttribute(
229 AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE);
230 }
231
232 if (Validator.isNotNull(redirect)) {
233 response.sendRedirect(redirect);
234
235 return;
236 }
237 }
238 }
239 catch (Exception e) {
240 StringBundler sb = new StringBundler(6);
241
242 sb.append("Current URL ");
243
244 String currentURL = PortalUtil.getCurrentURL(request);
245
246 sb.append(currentURL);
247
248 sb.append(" generates exception: ");
249 sb.append(e.getMessage());
250
251 if (_log.isInfoEnabled()) {
252 sb.append(" stack: ");
253 sb.append(StackTraceUtil.getStackTrace(e));
254 }
255
256 if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
257 if (_log.isWarnEnabled()) {
258 _log.warn(sb.toString());
259 }
260 }
261 else {
262 _log.error(sb.toString());
263 }
264 }
265 }
266 }
267
268 processFilter(
269 AutoLoginFilter.class.getName(), request, response, filterChain);
270 }
271
272 private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
273
274 private static final Log _log = LogFactoryUtil.getLog(
275 AutoLoginFilter.class);
276
277 private static final List<AutoLogin> _autoLogins =
278 new CopyOnWriteArrayList<>();
279
280 private final ServiceTracker<?, AutoLogin> _serviceTracker;
281
282 private static class AutoLoginServiceTrackerCustomizer
283 implements ServiceTrackerCustomizer<AutoLogin, AutoLogin> {
284
285 @Override
286 public AutoLogin addingService(
287 ServiceReference<AutoLogin> serviceReference) {
288
289 Registry registry = RegistryUtil.getRegistry();
290
291 AutoLogin autoLogin = registry.getService(serviceReference);
292
293 if (autoLogin == null) {
294 return null;
295 }
296
297 _autoLogins.add(autoLogin);
298
299 return autoLogin;
300 }
301
302 @Override
303 public void modifiedService(
304 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
305 }
306
307 @Override
308 public void removedService(
309 ServiceReference<AutoLogin> serviceReference, AutoLogin autoLogin) {
310
311 Registry registry = RegistryUtil.getRegistry();
312
313 registry.ungetService(serviceReference);
314
315 _autoLogins.remove(autoLogin);
316 }
317
318 }
319
320 }