001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.struts;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.json.JSONFactoryUtil;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.servlet.HttpHeaders;
022    import com.liferay.portal.kernel.servlet.ServletContextPool;
023    import com.liferay.portal.kernel.util.ClassUtil;
024    import com.liferay.portal.kernel.util.ContentTypes;
025    import com.liferay.portal.kernel.util.GetterUtil;
026    import com.liferay.portal.kernel.util.ParamUtil;
027    import com.liferay.portal.kernel.util.SetUtil;
028    import com.liferay.portal.kernel.util.StringPool;
029    import com.liferay.portal.kernel.util.Validator;
030    import com.liferay.portal.security.ac.AccessControlUtil;
031    import com.liferay.portal.security.auth.AuthTokenUtil;
032    import com.liferay.portal.security.auth.PortalSessionAuthVerifier;
033    import com.liferay.portal.security.sso.SSOUtil;
034    import com.liferay.portal.servlet.SharedSessionServletRequest;
035    import com.liferay.portal.util.PortalUtil;
036    import com.liferay.portal.util.PropsValues;
037    import com.liferay.portal.util.WebKeys;
038    
039    import java.io.OutputStream;
040    
041    import java.util.Set;
042    
043    import javax.servlet.RequestDispatcher;
044    import javax.servlet.ServletContext;
045    import javax.servlet.http.HttpServletRequest;
046    import javax.servlet.http.HttpServletResponse;
047    
048    import org.apache.struts.action.Action;
049    import org.apache.struts.action.ActionForm;
050    import org.apache.struts.action.ActionForward;
051    import org.apache.struts.action.ActionMapping;
052    
053    /**
054     * @author Ming-Gih Lam
055     * @author Brian Wing Shun Chan
056     * @author Tomas Polesovsky
057     */
058    public abstract class JSONAction extends Action {
059    
060            @Override
061            public ActionForward execute(
062                            ActionMapping actionMapping, ActionForm actionForm,
063                            HttpServletRequest request, HttpServletResponse response)
064                    throws Exception {
065    
066                    if (rerouteExecute(request, response)) {
067                            return null;
068                    }
069    
070                    String callback = ParamUtil.getString(request, "callback");
071    
072                    String json = null;
073    
074                    try {
075                            checkAuthToken(request);
076    
077                            json = getJSON(actionMapping, actionForm, request, response);
078    
079                            if (Validator.isNotNull(callback)) {
080                                    json = callback + "(" + json + ");";
081                            }
082                    }
083                    catch (SecurityException se) {
084                            if (_log.isWarnEnabled()) {
085                                    _log.warn(se.getMessage());
086                            }
087    
088                            json = JSONFactoryUtil.serializeThrowable(se);
089                    }
090                    catch (Exception e) {
091                            _log.error(e, e);
092    
093                            PortalUtil.sendError(
094                                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
095                                    response);
096    
097                            return null;
098                    }
099    
100                    boolean refresh = ParamUtil.getBoolean(request, "refresh");
101    
102                    if (refresh) {
103                            return actionMapping.findForward(ActionConstants.COMMON_REFERER);
104                    }
105                    else if (Validator.isNotNull(json)) {
106                            response.setCharacterEncoding(StringPool.UTF8);
107                            response.setContentType(ContentTypes.APPLICATION_JSON);
108                            response.setHeader(
109                                    HttpHeaders.CACHE_CONTROL,
110                                    HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
111    
112                            try (OutputStream outputStream = response.getOutputStream()) {
113                                    byte[] bytes = json.getBytes(StringPool.UTF8);
114    
115                                    outputStream.write(bytes);
116                            }
117                    }
118    
119                    return null;
120            }
121    
122            public abstract String getJSON(
123                            ActionMapping actionMapping, ActionForm actionForm,
124                            HttpServletRequest request, HttpServletResponse response)
125                    throws Exception;
126    
127            public void setServletContext(ServletContext servletContext) {
128                    _servletContext = servletContext;
129            }
130    
131            protected void checkAuthToken(HttpServletRequest request)
132                    throws PortalException {
133    
134                    String authType = GetterUtil.getString(request.getAuthType());
135    
136                    // Support for the legacy JSON API at /c/portal/json_service
137    
138                    if (AccessControlUtil.getAccessControlContext() == null) {
139                            if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
140                                    authType.equals(HttpServletRequest.DIGEST_AUTH)) {
141    
142                                    return;
143                            }
144                    }
145                    else {
146    
147                            // The new web service should only check auth tokens when the user
148                            // is authenticated using portal session cookies
149    
150                            if (!authType.equals(PortalSessionAuthVerifier.AUTH_TYPE)) {
151                                    return;
152                            }
153                    }
154    
155                    if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
156                            if (!SSOUtil.isAccessAllowed(request, _hostsAllowed)) {
157                                    AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
158                            }
159                    }
160            }
161    
162            protected String getCSRFOrigin(HttpServletRequest request) {
163                    return ClassUtil.getClassName(this);
164            }
165    
166            protected String getReroutePath() {
167                    return null;
168            }
169    
170            protected boolean rerouteExecute(
171                            HttpServletRequest request, HttpServletResponse response)
172                    throws Exception {
173    
174                    String reroutePath = getReroutePath();
175    
176                    if (Validator.isNull(reroutePath)) {
177                            return false;
178                    }
179    
180                    String requestServletContextName = ParamUtil.getString(
181                            request, "servletContextName");
182    
183                    if (Validator.isNull(requestServletContextName)) {
184                            return false;
185                    }
186    
187                    ServletContext servletContext = _servletContext;
188    
189                    if (servletContext == null) {
190                            servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
191                    }
192    
193                    String servletContextName = GetterUtil.getString(
194                            servletContext.getServletContextName());
195    
196                    if (servletContextName.equals(requestServletContextName)) {
197                            return false;
198                    }
199    
200                    ServletContext requestServletContext = ServletContextPool.get(
201                            requestServletContextName);
202    
203                    if (requestServletContext == null) {
204                            return false;
205                    }
206    
207                    RequestDispatcher requestDispatcher =
208                            requestServletContext.getRequestDispatcher(reroutePath);
209    
210                    if (requestDispatcher == null) {
211                            return false;
212                    }
213    
214                    requestDispatcher.forward(
215                            new SharedSessionServletRequest(request, true), response);
216    
217                    return true;
218            }
219    
220            private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
221    
222            private final Set<String> _hostsAllowed = SetUtil.fromArray(
223                    PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
224            private ServletContext _servletContext;
225    
226    }